azure 添加MicrosoftIdentityWebApp身份验证刷新令牌

nbysray5 于 2023-02-25 发布在其他

关注(0)|答案(1)|浏览(236)

services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
           .EnableTokenAcquisitionToCallDownstreamApi()
           .AddMicrosoftGraph()
           .AddInMemoryTokenCaches();

我在我的.net网络应用程序中有这个，在appsettings中有所需的AzureAD信息。
我用这个来获取访问令牌，并调用microsoft graph API。一小时后令牌过期，不使用刷新一个来获取另一个。
这是要自动调用？我错过了什么

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "****************",
    "ClientId": "****************",
    "TenantId": "****************",
    "ClientSecret": "****************",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath ": "/signout-callback-oidc",
    "Authority": "https://login.microsoftonline.com/****************,
    "ResponseType": "code",
    "UsePkce": true,
    "Scopes": "**************** ,
    "TokenValidationParameters": {
      "NameClaimType": "name",
      "RoleClaimType": "roles"
    },
    "TokenAcquisitionOptions": {
      "RefreshBuffer": 120,
      "ForceRefreshOnExpiration": true
    }
  },

我的应用程序设置来配置刷新令牌

Azure

来源：https://stackoverflow.com/questions/75523204/addmicrosoftidentitywebappauthentication-refresh-token

1条答案

按热度按时间

imzjd6km1#

在startup.cs中，确保将所需的作用域发送到EnableTokenAcquisitionToCallDownstreamApi（），即类似于.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)的内容

示例：*

.EnableTokenAcquisitionToCallDownstreamApi(new[] {"user.read", "xxx", "xxx"}).
向azure门户中的作用域授予管理员权限。

- 启动. cs**

public void ConfigureServices(IServiceCollection services)
        {
            var initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

            services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
                    .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                        .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
                        .AddInMemoryTokenCaches();

            services.AddControllersWithViews(options =>
            {
                var policy = new AuthorizationPolicyBuilder()
                    .RequireAuthenticatedUser()
                    .Build();
                options.Filters.Add(new AuthorizeFilter(policy));

            });
           services.AddRazorPages()
                .AddMicrosoftIdentityUI();
        }

当您使用AddMicrosoftIdentityWebAppAuthentication时，默认情况下，Azure广告令牌具有过期时间，可通过将***UseTokenLifetime设置为false来更改此设置***
例如：

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
              .AddMicrosoftIdentityWebApp(options =>
              {
                  options.UseTokenLifetime = true;
                  //change to false
              });

应用程序设置. json：

{
      "AzureAd": {
        "Instance": "https://login.microsoftonline.com/",
        "Domain": "xx@xx.onmicrosoft.com",
        "ClientId": "50xxxxfbd2ed06e",
        "TenantId": "fb13xxx8f3b0",
        "ClientSecret": "Bxxxxag7",
        "ClientCertificates": [
        ],
        "CallbackPath": "/signin-oidc"
      },
      "DownstreamApi": {
        "BaseUrl": "https://graph.microsoft.com/v1.0",
        "Scopes": "https://graph.microsoft.com/.default"
      },

- 在您的代码中，按如下方式使用**

services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
        .EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.Bind("AzureAd", options))
        .AddInMemoryTokenCaches();

services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
    options.UseTokenLifetime = false; 
});