使用 AAD 进行身份验证的 Azure App 在一段时间后返回 401
[英]Azure App using AAD for authentication returns 401 after period of time
问题描述
I have a C# .net core web app hosted on Azure App Services.
我有一个托管在 Azure 应用服务上的 C# .net 核心 Web 应用。 It is using Azure Active Directory for authentication.它使用 Azure Active Directory 进行身份验证。
The authentication is working - when users access the web app they are asked to login and once they do they can access the web app successfully.身份验证正在运行 - 当用户访问 Web 应用程序时,他们被要求登录,一旦他们登录,他们就可以成功访问 Web 应用程序。
However, sometime after visiting the web app and returning to the web app they will sometimes receive a 401 error.但是,有时在访问网络应用程序并返回网络应用程序后,他们有时会收到 401 错误。 I think in particular it happens if the users browser has been open a long time between visits.我认为如果用户浏览器在两次访问之间打开了很长时间,这种情况尤其会发生。 The web app is being used in a business environment and it is common for users to go days between closing their browser (at the end of the day the user will typically just close their laptop rather than shutting it down). Web 应用程序在商业环境中使用,用户通常需要几天时间才能关闭浏览器(在一天结束时,用户通常只会关闭笔记本电脑,而不是将其关闭)。
If I delete the users AppServiceAuthSession session cookie they can successfully access the webapp itself so it seems that the cookie is maybe expiring but not refreshing itself.如果我删除用户 AppServiceAuthSession 会话 cookie,他们可以成功访问 webapp 本身,因此 cookie 似乎可能过期但不会自行刷新。
Is there anything that can be done to stop the user receiving a 401 error - it would be preferrable that the web app deletes and recreates the session cookie and asks the user to login again if needed, or something along those lines.是否可以采取任何措施来阻止用户收到 401 错误 - 最好是网络应用程序删除并重新创建会话 cookie,并要求用户在需要时再次登录,或者类似的事情。
1 个解决方案
解决方案1
0 2022-12-17 11:16:58
When azure app service is enabled with identity provider following permissions openid, profile, and email are requested by default.当使用身份提供者启用 azure 应用程序服务时,默认情况下会请求 openid、配置文件和电子邮件权限。
But when user actually approves offline_access scope is when your app can extend the token life time as your app receives refresh token and gives new access token as the old token expires.但是,当用户实际批准offline_access范围时,您的应用程序可以延长令牌生命周期,因为您的应用程序会收到刷新令牌,并在旧令牌过期时提供新的访问令牌。
So one needs to explicitly set the offline_access scope in the portal or through authsettingsv2 in resource graph https://resources.azure.com/ , subscriptions >your subscription> > resourceGroups > <your resource group name> > providers > Microsoft.Web > sites > <app_name> > config > authsettingsV2.. and add offline_access in scope list.因此需要在门户中或通过资源图https://resources.azure.com/中的 authsettingsv2 显式设置offline_access范围, subscriptions >your subscription> > resourceGroups > <your resource group name> > providers > Microsoft.Web > sites > <app_name> > config > authsettingsV2..并在范围列表中添加 offline_access。
identityProviders": {
"azureActiveDirectory": {
"login": {
"loginParameters": ["scope=openid profile email offline_access"]
}
}
}
To refresh the access token, call /.auth/refresh at any time in your app.要刷新访问令牌,请随时在您的应用中调用/.auth/refresh 。 When the authentication session expires after ~8 hrs, there will be a grace period upto 72 hrs to refresh it.So call /.auth/refresh when token becomes invalid so that the user need not track every time until 72hrs is finished and session token expires.当身份验证会话在 ~8 小时后过期时,将有一个长达 72 小时的宽限期来刷新它。因此当令牌无效时调用 /.auth/refresh 以便用户无需每次跟踪直到 72 小时完成和会话令牌到期。 After that 72hrs user need to authenticate again. 72 小时后,用户需要再次进行身份验证。
Even this grace period can be extended if required to some (short value) mostly using azure cli.如果需要一些(短值)主要使用 azure cli,甚至可以延长这个宽限期。 Please check this OAuth tokens in AuthN/AuthZ - Azure App Service |请在 AuthN/AuthZ - Azure App Service | 中检查此 OAuth 令牌Microsoft Learn 微软学习
az webapp auth update --resource-group <group_name> --name <app_name> --token-refresh-extension-hours <hours>
I have not extended value and can see from below command我没有扩展值,可以从下面的命令中看到
az webapp auth show --resource-group <group_name> --name <app_name> --token-refresh-extension-hours <hours>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.