尽管使用机密客户端,Azure 刷新令牌仍会过期
Azure refresh token expires despite using a confidential client
我正在为 Web 应用程序使用 Web App/API Azure 应用程序,并使用 client_id 和 client_secret 的授权授予流程来获取 access/refresh 令牌(使用rest API),一切正常,除了刷新令牌在 90 天后过期。 期望 refresh_token 永不过期(除非明确撤销),如 azure 文档中所述。
Microsoft AzureAD 文档是这样说的:
(https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#refresh-tokens)
Token lifetimes with confidential client refresh tokens Confidential
clients are applications that can securely store a client password
(secret). They can prove that requests are coming from the secured
client application and not from a malicious actor. For example, a web
app is a confidential client because it can store a client secret on
the web server. It is not exposed. Because these flows are more
secure, the default lifetimes of refresh tokens issued to these flows
is until-revoked, cannot be changed by using policy, and will not be
revoked on voluntary password resets.
这是基于 RFC6749 的机密客户端定义:
(https://www.rfc-editor.org/rfc/rfc6749#section-2.1)
Clients capable of maintaining the confidentiality of their
credentials (e.g., client implemented on a secure server with
restricted access to the client credentials), or capable of secure
client authentication using other means.
我现在在请求刷新令牌时遇到的错误:
AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2018-10-19T17:26:59.8511467Z and was inactive for 90.00:00:00.
您没有用新的刷新令牌替换旧的刷新令牌,每当您调用使用刷新令牌获取新的访问令牌时也会提供新的刷新令牌。
Refreshing the access tokens 页面解释如下。
Refresh tokens do not have specified lifetimes. Typically, the
lifetimes of refresh tokens are relatively long. However, in some
cases, refresh tokens expire, are revoked, or lack sufficient
privileges for the desired action. Your application needs to expect
and handle errors returned by the token issuance endpoint correctly.
When you receive a response with a refresh token error, discard the
current refresh token and request a new authorization code or access
token. In particular, when using a refresh token in the Authorization
Code Grant flow, if you receive a response with the
interaction_required or invalid_grant error codes, discard the refresh
token and request a new authorization code.
我正在为 Web 应用程序使用 Web App/API Azure 应用程序,并使用 client_id 和 client_secret 的授权授予流程来获取 access/refresh 令牌(使用rest API),一切正常,除了刷新令牌在 90 天后过期。 期望 refresh_token 永不过期(除非明确撤销),如 azure 文档中所述。
Microsoft AzureAD 文档是这样说的: (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#refresh-tokens)
Token lifetimes with confidential client refresh tokens Confidential clients are applications that can securely store a client password (secret). They can prove that requests are coming from the secured client application and not from a malicious actor. For example, a web app is a confidential client because it can store a client secret on the web server. It is not exposed. Because these flows are more secure, the default lifetimes of refresh tokens issued to these flows is until-revoked, cannot be changed by using policy, and will not be revoked on voluntary password resets.
这是基于 RFC6749 的机密客户端定义: (https://www.rfc-editor.org/rfc/rfc6749#section-2.1)
Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.
我现在在请求刷新令牌时遇到的错误:
AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2018-10-19T17:26:59.8511467Z and was inactive for 90.00:00:00.
您没有用新的刷新令牌替换旧的刷新令牌,每当您调用使用刷新令牌获取新的访问令牌时也会提供新的刷新令牌。
Refreshing the access tokens 页面解释如下。
Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. Your application needs to expect and handle errors returned by the token issuance endpoint correctly.
When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code.