ADB2C AcquireTokenSilent 行为
ADB2C AcquireTokenSilent behavior
我正在尝试在我的 Angular 5 SPA 中使用 MSAL 库。我对 AcquireTokenSilent() 函数的行为有点困惑。
目前在我的应用程序中,我需要每 5 分钟刷新一次访问令牌。据我了解,由于 MSAL.js 使用隐式授权流程,它不允许我们刷新令牌。
因此尝试使用 AcquireTokenSilent() 函数获取新令牌,它确实 return 新令牌,以及令牌的新到期日期。一旦我的应用程序通过 ADB2C 配置的 "web app session with OpenID Connect" 时间(分钟),此函数不会 return 令牌并告诉我用户会话已过期。这是预期的行为。
现在我的问题是:
AcquireTokenSilent() 函数的内部行为如何?
我可以让使用此功能的用户每 5 分钟获取一次新令牌吗?我们能否 link 此访问令牌以根据刷新令牌的生命周期获取新令牌。目前不确定它获取新令牌的依据是什么。目前它会获取新令牌,直到 "web app session with OpenID Connect" 仍然存在。
How does AcquireTokenSilent() function behaves internally?
它首先尝试从缓存中获取令牌。
然后,如果失败,它会使用隐藏的 iframe 尝试获取新的 iframe。
它使用的 URL 与普通登录相同,只是它使用 prompt=none。
如果用户有活动会话,这会使它 return 成为重定向中的标记。
如果会话已过期,则 return 是一个错误。
这是 acquireTokenSilent 的 JSDoc:
/*
* Used to get the token from cache.
* MSAL will return the cached token if it is not expired.
* Or it will send a request to the STS to obtain an access_token using a hidden iframe. To renew idToken, clientId should be passed as the only scope in the scopes array.
* @param {Array<string>} scopes - Permissions you want included in the access token. Not all scopes are guaranteed to be included in the access token. Scopes like "openid" and "profile" are sent with every request.
* @param {string} authority - A URL indicating a directory that MSAL can use to obtain tokens.
* - In Azure AD, it is of the form https://<tenant>/<tenant>, where <tenant> is the directory host (e.g. https://login.microsoftonline.com) and <tenant> is a identifier within the directory itself (e.g. a domain associated to the tenant, such as contoso.onmicrosoft.com, or the GUID representing the TenantID property of the directory)
* - In Azure B2C, it is of the form https://<instance>/tfp/<tenant>/<policyName>/
* - Default value is: "https://login.microsoftonline.com/common"
* @param {User} user - The user for which the scopes are requested.The default user is the logged in user.
* @param {string} extraQueryParameters - Key-value pairs to pass to the STS during the authentication flow.
* @returns {Promise.<string>} - A Promise that is fulfilled when this function has completed, or rejected if an error was raised. Resolved with token or rejected with error.
*/
Can i make user of this function to get new token every 5 mins? Can we link this access token to get a new token based on lifetime of a refresh token. Currently not sure on what basis it fetches new token. Currently it fetches new token until "web app session with OpenID Connect" is still alive.
本机应用程序没有刷新令牌。
他们 运行 处于不受信任的环境中,因此无法使用刷新令牌来信任它们。
您应该使用的方法是:
尝试使用 acquireTokenSilent 获取令牌。
如果失败,请重新验证用户/向他们显示一个页面,说明他们需要再次登录 + 按钮才能这样做。
我正在尝试在我的 Angular 5 SPA 中使用 MSAL 库。我对 AcquireTokenSilent() 函数的行为有点困惑。
目前在我的应用程序中,我需要每 5 分钟刷新一次访问令牌。据我了解,由于 MSAL.js 使用隐式授权流程,它不允许我们刷新令牌。
因此尝试使用 AcquireTokenSilent() 函数获取新令牌,它确实 return 新令牌,以及令牌的新到期日期。一旦我的应用程序通过 ADB2C 配置的 "web app session with OpenID Connect" 时间(分钟),此函数不会 return 令牌并告诉我用户会话已过期。这是预期的行为。
现在我的问题是:
AcquireTokenSilent() 函数的内部行为如何?
我可以让使用此功能的用户每 5 分钟获取一次新令牌吗?我们能否 link 此访问令牌以根据刷新令牌的生命周期获取新令牌。目前不确定它获取新令牌的依据是什么。目前它会获取新令牌,直到 "web app session with OpenID Connect" 仍然存在。
How does AcquireTokenSilent() function behaves internally?
它首先尝试从缓存中获取令牌。
然后,如果失败,它会使用隐藏的 iframe 尝试获取新的 iframe。
它使用的 URL 与普通登录相同,只是它使用 prompt=none。
如果用户有活动会话,这会使它 return 成为重定向中的标记。
如果会话已过期,则 return 是一个错误。
这是 acquireTokenSilent 的 JSDoc:
/*
* Used to get the token from cache.
* MSAL will return the cached token if it is not expired.
* Or it will send a request to the STS to obtain an access_token using a hidden iframe. To renew idToken, clientId should be passed as the only scope in the scopes array.
* @param {Array<string>} scopes - Permissions you want included in the access token. Not all scopes are guaranteed to be included in the access token. Scopes like "openid" and "profile" are sent with every request.
* @param {string} authority - A URL indicating a directory that MSAL can use to obtain tokens.
* - In Azure AD, it is of the form https://<tenant>/<tenant>, where <tenant> is the directory host (e.g. https://login.microsoftonline.com) and <tenant> is a identifier within the directory itself (e.g. a domain associated to the tenant, such as contoso.onmicrosoft.com, or the GUID representing the TenantID property of the directory)
* - In Azure B2C, it is of the form https://<instance>/tfp/<tenant>/<policyName>/
* - Default value is: "https://login.microsoftonline.com/common"
* @param {User} user - The user for which the scopes are requested.The default user is the logged in user.
* @param {string} extraQueryParameters - Key-value pairs to pass to the STS during the authentication flow.
* @returns {Promise.<string>} - A Promise that is fulfilled when this function has completed, or rejected if an error was raised. Resolved with token or rejected with error.
*/
Can i make user of this function to get new token every 5 mins? Can we link this access token to get a new token based on lifetime of a refresh token. Currently not sure on what basis it fetches new token. Currently it fetches new token until "web app session with OpenID Connect" is still alive.
本机应用程序没有刷新令牌。 他们 运行 处于不受信任的环境中,因此无法使用刷新令牌来信任它们。
您应该使用的方法是:
尝试使用 acquireTokenSilent 获取令牌。 如果失败,请重新验证用户/向他们显示一个页面,说明他们需要再次登录 + 按钮才能这样做。