是否可以从客户端撤销 Azure AD ADAL (ios) 刷新令牌?
Can Azure AD ADAL (ios) refresh token be revoked from the client?
我正在尝试在 iOS 应用程序中使用 ADALiOS。我还想要一个注销按钮,以便在需要时用户可以选择从应用程序中注销。我认为最好的方法是撤销刷新令牌(访问令牌是短暂的,不能撤销),理想情况下也应该撤销令牌并在服务器端进行清理。
我尝试了 Azure AD 文档,在源代码中进行了搜索(通常在其他地方进行了搜索),但在 ADAL 中找不到任何关于刷新令牌撤销的提及。
能否在 ADAL 中撤销刷新令牌?注销用户的最佳方式是什么?
是的。来自 Best Practices for OAuth 2.0 in Azure AD:
Refresh tokens do not have specified lifetimes. Typically, the
lifetimes of refresh tokens are relatively long. However, in some
cases, refresh tokens expire, are revoked, or lack sufficient
privileges for the desired action. The client application needs to
expect and handle errors returned by the token issuance endpoint
correctly. When you receive a response with a refresh token error,
discard the current refresh token and request a new authorization code
or access token. In particular, when using a refresh token in the
Authorization Code Grant flow, if you receive a response with the
interaction_required or invalid_grant error codes, discard the refresh
token and request a new authorization code.
我还记得 Vittorio 在他的博客 post (ADAL 3 didn’t return refresh tokens for ~5 months… and nobody noticed) 中提到 ADAL 3 甚至 return 不刷新令牌。我想一般的建议是不要对应用程序中的刷新令牌有任何依赖。
关于注销用户,请参阅此线程:ADAL: W8.1 app trying to log user out,尽管此线程适用于 Windows Phone app.
基于 link Gaurav 提供的,这里是 ADAL Objective-c 的注销代码,对于 Azure AD 提供的示例应用程序:
在viewcontroller中:
- (IBAction)logoutUser:(id)sender
{
[self.unifiedEndpointClient logoutUser];
}
在 O365UnifiedEndpointOperations 中:
-(void)logoutUser
{
AuthenticationManager *authenticationManager = [AuthenticationManager sharedInstance];
[authenticationManager removeTokenWithResourceId:_resourceID
withTenant:TENANT_STRING];
}
在身份验证管理器中:
-(void) removeTokenWithResourceId:(NSString *)resourceId
withTenant:(NSString *)tenant
{
[self.authContext.tokenCacheStore removeAllWithError:nil];
NSURLSession *urlSession = [NSURLSession sessionWithConfiguration: [NSURLSessionConfiguration defaultSessionConfiguration]
delegate: nil
delegateQueue: [NSOperationQueue mainQueue]];
NSURL *url = [NSURL URLWithString: [NSString stringWithFormat: @"https://login.windows.net/%@/oauth2/logout", tenant]];
[[urlSession dataTaskWithURL:url
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error)
{
}] resume];
}
我正在尝试在 iOS 应用程序中使用 ADALiOS。我还想要一个注销按钮,以便在需要时用户可以选择从应用程序中注销。我认为最好的方法是撤销刷新令牌(访问令牌是短暂的,不能撤销),理想情况下也应该撤销令牌并在服务器端进行清理。
我尝试了 Azure AD 文档,在源代码中进行了搜索(通常在其他地方进行了搜索),但在 ADAL 中找不到任何关于刷新令牌撤销的提及。
能否在 ADAL 中撤销刷新令牌?注销用户的最佳方式是什么?
是的。来自 Best Practices for OAuth 2.0 in Azure AD:
Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. The client application needs to expect and handle errors returned by the token issuance endpoint correctly. When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code.
我还记得 Vittorio 在他的博客 post (ADAL 3 didn’t return refresh tokens for ~5 months… and nobody noticed) 中提到 ADAL 3 甚至 return 不刷新令牌。我想一般的建议是不要对应用程序中的刷新令牌有任何依赖。
关于注销用户,请参阅此线程:ADAL: W8.1 app trying to log user out,尽管此线程适用于 Windows Phone app.
基于 link Gaurav 提供的,这里是 ADAL Objective-c 的注销代码,对于 Azure AD 提供的示例应用程序:
在viewcontroller中:
- (IBAction)logoutUser:(id)sender
{
[self.unifiedEndpointClient logoutUser];
}
在 O365UnifiedEndpointOperations 中:
-(void)logoutUser
{
AuthenticationManager *authenticationManager = [AuthenticationManager sharedInstance];
[authenticationManager removeTokenWithResourceId:_resourceID
withTenant:TENANT_STRING];
}
在身份验证管理器中:
-(void) removeTokenWithResourceId:(NSString *)resourceId
withTenant:(NSString *)tenant
{
[self.authContext.tokenCacheStore removeAllWithError:nil];
NSURLSession *urlSession = [NSURLSession sessionWithConfiguration: [NSURLSessionConfiguration defaultSessionConfiguration]
delegate: nil
delegateQueue: [NSOperationQueue mainQueue]];
NSURL *url = [NSURL URLWithString: [NSString stringWithFormat: @"https://login.windows.net/%@/oauth2/logout", tenant]];
[[urlSession dataTaskWithURL:url
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error)
{
}] resume];
}