由于多个 ADTokenCacheStoreItems,从不使用刷新令牌 - ADALiOS
Refresh token is never used due multiple ADTokenCacheStoreItems - ADALiOS
成功登录 Microsoft Graph API 服务后,将创建 2 ADTokenCacheStoreItems。其中一个包含 accessToken(refreshToken 为 nil),另一个包含 refreshToken(accessToken 为 nil)。
有 2 个缓存项没问题,但这会导致刷新令牌逻辑失败。 [attemptToUseCacheItem:] 方法使用包含 accessToken 的 ADTokenCacheStoreItem。如果 accessToken 过期,它会检查刷新令牌。在此项目中,刷新令牌为零,因此整个过程因 'Attempting to use an item without refresh token' 错误而失败。第二项(带有刷新令牌)实际上从未被访问过。
因此,访问令牌永远不会刷新。这似乎是什么问题?
ADALiOS 运行良好,我无法重现该问题。问题已解决,详情在跟帖中:https://github.com/AzureAD/azure-activedirectory-library-for-objc/issues/598#issuecomment-211636229
在此处复制 Ryan 的回复,以防 link 出现故障:
The access token is stored separately from the Multi Resource Refresh
token in the cache for ADALiOS. If you call acquireTokenSilent it will
successfully refresh an AT from the MRRT.
The line "The second item (with the refresh token) is actually never
accessed." is false. Look at -attemptToUseCacheItem: in
ADAuthenticationContext (1.2.x) or ADAuthenticationRequest (2.1) you
can see where ADAL looks for the MRRT and tries it. Look for the
"//Try multi-resource refresh token if not currently trying it"
comment if you're having a hard time finding it.
There is a considerable amount of unit testing around this very
scenario and you try try it manually in the test app as well. The only
way you see the behavior you claim is if you're not using the proper
acquireToken entry points.
成功登录 Microsoft Graph API 服务后,将创建 2 ADTokenCacheStoreItems。其中一个包含 accessToken(refreshToken 为 nil),另一个包含 refreshToken(accessToken 为 nil)。
有 2 个缓存项没问题,但这会导致刷新令牌逻辑失败。 [attemptToUseCacheItem:] 方法使用包含 accessToken 的 ADTokenCacheStoreItem。如果 accessToken 过期,它会检查刷新令牌。在此项目中,刷新令牌为零,因此整个过程因 'Attempting to use an item without refresh token' 错误而失败。第二项(带有刷新令牌)实际上从未被访问过。
因此,访问令牌永远不会刷新。这似乎是什么问题?
ADALiOS 运行良好,我无法重现该问题。问题已解决,详情在跟帖中:https://github.com/AzureAD/azure-activedirectory-library-for-objc/issues/598#issuecomment-211636229
在此处复制 Ryan 的回复,以防 link 出现故障:
The access token is stored separately from the Multi Resource Refresh token in the cache for ADALiOS. If you call acquireTokenSilent it will successfully refresh an AT from the MRRT.
The line "The second item (with the refresh token) is actually never accessed." is false. Look at -attemptToUseCacheItem: in ADAuthenticationContext (1.2.x) or ADAuthenticationRequest (2.1) you can see where ADAL looks for the MRRT and tries it. Look for the "//Try multi-resource refresh token if not currently trying it" comment if you're having a hard time finding it.
There is a considerable amount of unit testing around this very scenario and you try try it manually in the test app as well. The only way you see the behavior you claim is if you're not using the proper acquireToken entry points.