Azure AD B2C 刷新令牌已撤销 403
Azure AD B2C Refresh Token Revoked 403
大家早上好,
我已经在 Azure 中设置了应用服务并通过 Azure AD B2C 添加了身份验证。到目前为止,一切都很好。不过 1 小时后,当令牌过期时,我尝试刷新它,但随后我收到一条错误消息,提示刷新令牌已被撤销。这里出了什么问题?我已经像 post 中解释的那样设置了后端:并且在登录时我像这样传递了附加参数:
user = await Manager.CurrentClient.LoginAsync(currentContext,MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,new Dictionary<string, string>() { { "response_type", "code id_token" } });
这是我的刷新代码:
user = await Manager.CurrentClient.RefreshUserAsync();
这是我遇到的错误
{Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException:
Refresh failed with a 403 Forbidden error. The refresh token was
revoked or expired. --->
Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException:
You do not have permission to view this directory or page. at
Microsoft.WindowsAzure.MobileServices.MobileServiceHttpClient+d__24.MoveNext
() [0x001ec] in :0
我是不是漏掉了什么?
谢谢
编辑:
这是门户中设置的屏幕截图
编辑 2:
这是尝试刷新令牌时服务器日志中的错误:
编辑 3:
这里是来自网络服务器的给定请求的应用程序日志:
2017-01-18T15:08:33 PID[6344] Verbose Received request: GET
https://api.near.lu/.auth/refresh 2017-01-18T15:08:33 PID[6344]
Verbose JWT validation succeeded. Subject:
'sid:453a1ad2710466bc9873240e888d8b91', Issuer:
'https://api.near.lu/'. 2017-01-18T15:08:33 PID[6344] Warning The
refresh request issued by sid:453a1ad2710466bc9873240e888d8b91 (SID:
ac22f7309036f0c07a54b1299b9601ef) failed because no refresh tokens
were found in the token store. 2017-01-18T15:08:33 PID[6344]
Information Sending response: 403.80 Forbidden 2017-01-18T15:08:34
PID[6344] Verbose Received request: GET
https://api.near.lu/.auth/login/aad?response_type=code%20id_token
2017-01-18T15:08:34 PID[6344] Verbose Downloading OpenID
configuration from
https://login.microsoftonline.com/nearauth.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_Default
2017-01-18T15:08:36 PID[6344] Verbose Downloading OpenID issuer
keys from
https://login.microsoftonline.com/nearauth.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_default
2017-01-18T15:08:37 PID[6344] Information Redirecting:
https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fapi.near.lu%2F.auth%2Flogin%2Faad%2Fcallback&client_id=c4c15bfb-eac4-4cdc-861f-eb01594e19d2&scope=openid+profile+email&response_mode=form_post&state=redir%3D%26b2cPolicy%3D&p=b2c_1_default&nonce=9e243549b62f49878cc370048c6effa9_20170118151334
2017-01-18T15:08:39 PID[6344] Verbose Received request: POST
https://api.near.lu/.auth/login/aad/callback 2017-01-18T15:08:39
PID[6344] Error An error of type 'unauthorized_client' occurred
during the login process: 'AADB2C90057: The provided application is
not configured to allow the OAuth Implicit flow. Correlation ID:
8336662f-8847-4f8b-bb37-6925a5d3e264 Timestamp: 2017-01-18 15:08:38Z '
2017-01-18T15:08:39 PID[6344] Information Sending response: 401.73
Unauthorized
编辑 4:
这是成功登录的日志:
2017-01-18T19:10:14 PID[6344] Verbose Received request: GET
https://api.near.lu/.auth/login/aad?response_type=code%20id_token
2017-01-18T19:10:14 PID[6344] Information Redirecting:
https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fapi.near.lu%2F.auth%2Flogin%2Faad%2Fcallback&client_id=c4c15bfb-eac4-4cdc-861f-eb01594e19d2&scope=openid+profile+email&response_mode=form_post&state=redir%3D%26b2cPolicy%3D&p=b2c_1_default&nonce=817be561f67343688001637fa7808690_20170118191514
2017-01-18T19:10:30 PID[6344] Verbose Received request: POST
https://api.near.lu/.auth/login/aad/callback 2017-01-18T19:10:30
PID[6344] Verbose JWT validation succeeded. Subject:
'1eaf9f41-1562-4ac9-9538-b893c9123087', Issuer:
'https://login.microsoftonline.com/07407dc1-946a-4afc-9186-84e6023ba814/v2.0/'.
2017-01-18T19:10:30 PID[6344] Verbose Calling into external HTTP
endpoint POST
https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/token.
2017-01-18T19:10:32 PID[6344] Information Login completed for 'aget'.
Provider: 'aad'. 2017-01-18T19:10:32 PID[6344] Verbose Writing
'AppServiceAuthSession' cookie for site 'api.near.lu'. Length: 792.
2017-01-18T19:10:32 PID[6344] Information Redirecting:
https://api.near.lu/.auth/login/done#token=%7B%22authenticationToken%22%3A%22ey--REMOVED PART OF THE TOKEN--%22%2C%22user%22%3A%7B%22userId%22%3A%22sid%3Aed01ed7507f147976aa1704783267861%22%7D%7D
2017-01-18T19:10:33 PID[6344] Verbose Received request: GET
https://api.near.lu/.auth/login/done 2017-01-18T19:10:33 PID[6344]
Information Sending response: 200.0 OK
这是我在登录后尝试立即刷新时收到的错误日志:
2017-01-23T10:55:06 PID[6344] Verbose Received request: POST
https://api.near.lu/.auth/refresh 2017-01-23T10:55:06 PID[6344]
Verbose JWT validation succeeded. Subject:
'sid:ed01ed7507f147976aa1704783267861', Issuer:
'https://api.near.lu/'. 2017-01-23T10:55:06 PID[6344] Warning The
refresh request issued by sid:ed01ed7507f147976aa1704783267861 (SID:
9a6c2ee324a092937c5e2f953803e662) failed because no refresh tokens
were found in the token store. 2017-01-23T10:55:06 PID[6344]
Information Sending response: 403.80 Forbidden
这很奇怪,如上图所示,令牌存储已启用...
要使用刷新用户,我们必须将刷新令牌存储到应用服务令牌存储中。
您可以使用以下请求检查是否有刷新令牌:
Get:https://{yourMoibleAppName}.azurewebsites.net/.auth/me
X-ZUMO-AUTH: {accessToken}
您可以从 user.MobileServiceAuthenticationToken 获得的访问令牌。
如果没有返回refresh token,可以查看是否满足以下要求:
令牌存储已启用
请求的response_type包含代码
开发者未撤销access_token、refresh_token、用户权限
一切都设置好了,但是应用程序仍然出现403错误,我们应该提示用户重新登录(参考Refreshing user logins in App Service Mobile Apps)。
并且为了避免误解,当您指定您使用的是 Azure AD B2C 租户时,您介意分享您保护移动服务的详细步骤吗?
更新(能够使用 register this way 的 b2c 应用重现此问题)
问题可能是您当前的应用服务身份验证/授权设置未配置为支持令牌刷新。确认这一点的一种简单方法是启用应用程序日志记录并在刷新操作失败时查看应用程序日志流中的警告消息。可以在此处找到有关应用程序日志记录的更多详细信息:https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log
请参阅以下博客 post(我写的)以了解有关如何更新身份验证/授权设置以支持令牌刷新的更多信息:https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/#refresh。简短的版本是您需要:
- 在您的 B2C 应用程序注册中创建一个应用程序密钥,并将其设置为门户中 AAD 的身份验证/授权 "Advanced" 设置中的客户端密码。
- 登录时请求 offline_access 范围。这确保您在用户登录时从 AAD B2C 获得刷新令牌。
您的登录代码应如下所示:
user = await Manager.CurrentClient.LoginAsync(
currentContext,
MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,
new Dictionary<string, string>() { { "scope", "openid offline_access" } });
大家早上好,
我已经在 Azure 中设置了应用服务并通过 Azure AD B2C 添加了身份验证。到目前为止,一切都很好。不过 1 小时后,当令牌过期时,我尝试刷新它,但随后我收到一条错误消息,提示刷新令牌已被撤销。这里出了什么问题?我已经像 post 中解释的那样设置了后端:并且在登录时我像这样传递了附加参数:
user = await Manager.CurrentClient.LoginAsync(currentContext,MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,new Dictionary<string, string>() { { "response_type", "code id_token" } });
这是我的刷新代码:
user = await Manager.CurrentClient.RefreshUserAsync();
这是我遇到的错误
{Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException: Refresh failed with a 403 Forbidden error. The refresh token was revoked or expired. ---> Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException: You do not have permission to view this directory or page. at Microsoft.WindowsAzure.MobileServices.MobileServiceHttpClient+d__24.MoveNext () [0x001ec] in :0
我是不是漏掉了什么? 谢谢
编辑:
这是门户中设置的屏幕截图
编辑 2:
这是尝试刷新令牌时服务器日志中的错误:
编辑 3: 这里是来自网络服务器的给定请求的应用程序日志:
2017-01-18T15:08:33 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/refresh 2017-01-18T15:08:33 PID[6344] Verbose JWT validation succeeded. Subject: 'sid:453a1ad2710466bc9873240e888d8b91', Issuer: 'https://api.near.lu/'. 2017-01-18T15:08:33 PID[6344] Warning The refresh request issued by sid:453a1ad2710466bc9873240e888d8b91 (SID: ac22f7309036f0c07a54b1299b9601ef) failed because no refresh tokens were found in the token store. 2017-01-18T15:08:33 PID[6344] Information Sending response: 403.80 Forbidden 2017-01-18T15:08:34 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/login/aad?response_type=code%20id_token 2017-01-18T15:08:34 PID[6344] Verbose Downloading OpenID configuration from https://login.microsoftonline.com/nearauth.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_Default 2017-01-18T15:08:36 PID[6344] Verbose Downloading OpenID issuer keys from https://login.microsoftonline.com/nearauth.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_default 2017-01-18T15:08:37 PID[6344] Information Redirecting: https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fapi.near.lu%2F.auth%2Flogin%2Faad%2Fcallback&client_id=c4c15bfb-eac4-4cdc-861f-eb01594e19d2&scope=openid+profile+email&response_mode=form_post&state=redir%3D%26b2cPolicy%3D&p=b2c_1_default&nonce=9e243549b62f49878cc370048c6effa9_20170118151334 2017-01-18T15:08:39 PID[6344] Verbose Received request: POST https://api.near.lu/.auth/login/aad/callback 2017-01-18T15:08:39 PID[6344] Error An error of type 'unauthorized_client' occurred during the login process: 'AADB2C90057: The provided application is not configured to allow the OAuth Implicit flow. Correlation ID: 8336662f-8847-4f8b-bb37-6925a5d3e264 Timestamp: 2017-01-18 15:08:38Z ' 2017-01-18T15:08:39 PID[6344] Information Sending response: 401.73 Unauthorized
编辑 4: 这是成功登录的日志:
2017-01-18T19:10:14 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/login/aad?response_type=code%20id_token 2017-01-18T19:10:14 PID[6344] Information Redirecting: https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fapi.near.lu%2F.auth%2Flogin%2Faad%2Fcallback&client_id=c4c15bfb-eac4-4cdc-861f-eb01594e19d2&scope=openid+profile+email&response_mode=form_post&state=redir%3D%26b2cPolicy%3D&p=b2c_1_default&nonce=817be561f67343688001637fa7808690_20170118191514 2017-01-18T19:10:30 PID[6344] Verbose Received request: POST https://api.near.lu/.auth/login/aad/callback 2017-01-18T19:10:30 PID[6344] Verbose JWT validation succeeded. Subject: '1eaf9f41-1562-4ac9-9538-b893c9123087', Issuer: 'https://login.microsoftonline.com/07407dc1-946a-4afc-9186-84e6023ba814/v2.0/'. 2017-01-18T19:10:30 PID[6344] Verbose Calling into external HTTP endpoint POST https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/token. 2017-01-18T19:10:32 PID[6344] Information Login completed for 'aget'. Provider: 'aad'. 2017-01-18T19:10:32 PID[6344] Verbose Writing 'AppServiceAuthSession' cookie for site 'api.near.lu'. Length: 792. 2017-01-18T19:10:32 PID[6344] Information Redirecting: https://api.near.lu/.auth/login/done#token=%7B%22authenticationToken%22%3A%22ey--REMOVED PART OF THE TOKEN--%22%2C%22user%22%3A%7B%22userId%22%3A%22sid%3Aed01ed7507f147976aa1704783267861%22%7D%7D 2017-01-18T19:10:33 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/login/done 2017-01-18T19:10:33 PID[6344] Information Sending response: 200.0 OK
这是我在登录后尝试立即刷新时收到的错误日志:
2017-01-23T10:55:06 PID[6344] Verbose Received request: POST https://api.near.lu/.auth/refresh 2017-01-23T10:55:06 PID[6344] Verbose JWT validation succeeded. Subject: 'sid:ed01ed7507f147976aa1704783267861', Issuer: 'https://api.near.lu/'. 2017-01-23T10:55:06 PID[6344] Warning The refresh request issued by sid:ed01ed7507f147976aa1704783267861 (SID: 9a6c2ee324a092937c5e2f953803e662) failed because no refresh tokens were found in the token store. 2017-01-23T10:55:06 PID[6344] Information Sending response: 403.80 Forbidden
这很奇怪,如上图所示,令牌存储已启用...
要使用刷新用户,我们必须将刷新令牌存储到应用服务令牌存储中。
您可以使用以下请求检查是否有刷新令牌:
Get:https://{yourMoibleAppName}.azurewebsites.net/.auth/me
X-ZUMO-AUTH: {accessToken}
您可以从 user.MobileServiceAuthenticationToken 获得的访问令牌。
如果没有返回refresh token,可以查看是否满足以下要求:
令牌存储已启用
请求的response_type包含代码
开发者未撤销access_token、refresh_token、用户权限
一切都设置好了,但是应用程序仍然出现403错误,我们应该提示用户重新登录(参考Refreshing user logins in App Service Mobile Apps)。
并且为了避免误解,当您指定您使用的是 Azure AD B2C 租户时,您介意分享您保护移动服务的详细步骤吗?
更新(能够使用 register this way 的 b2c 应用重现此问题)
问题可能是您当前的应用服务身份验证/授权设置未配置为支持令牌刷新。确认这一点的一种简单方法是启用应用程序日志记录并在刷新操作失败时查看应用程序日志流中的警告消息。可以在此处找到有关应用程序日志记录的更多详细信息:https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log
请参阅以下博客 post(我写的)以了解有关如何更新身份验证/授权设置以支持令牌刷新的更多信息:https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/#refresh。简短的版本是您需要:
- 在您的 B2C 应用程序注册中创建一个应用程序密钥,并将其设置为门户中 AAD 的身份验证/授权 "Advanced" 设置中的客户端密码。
- 登录时请求 offline_access 范围。这确保您在用户登录时从 AAD B2C 获得刷新令牌。
您的登录代码应如下所示:
user = await Manager.CurrentClient.LoginAsync(
currentContext,
MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,
new Dictionary<string, string>() { { "scope", "openid offline_access" } });