时间戳

首页 > 解决方案 > MSAL.js acquireTokenSilent 生成的空令牌

javascript - MSAL.js acquireTokenSilent 生成的空令牌

问题描述

我正在使用我们最近从 On-Prim 身份验证提供程序转移到 Azure Active Directory 和 MSAL.js 的现有单页应用程序。我们在后端使用 WindowsAzureActiveDirectoryBearerAuthenticationMiddleware 来保护 WebAPI 端点。

API 是安全的,用户可以登录并且一切正常。问题开始于令牌在一小时标记到期的时间。tokenSilent 方法返回一个带有空 accessToken 的令牌。

我在 Guthub 上发现了这个问题。

https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/736

这里简短而肮脏,对应用程序范围单一的令牌请求将仅返回刷新的 id_token 而不是刷新的 accessToken。解决方案是添加一个额外的范围。如果我这样做会引发错误,提示客户端 ID 只能作为单个范围提供

任何帮助将不胜感激

var clientApplication;

// Enter Global Config Values & Instantiate MSAL Client application
window.msalConfig = {
    auth: {
            clientId: 'obfuscated'
            , authority: "https://login.microsoftonline.com/common"
            , validateAuthority: true
            , redirectUri: window.location.protocol + "//" + window.location.host + "/msal.html" //http://localhost:58541/msal.html
            }
    , cache: {
            cacheLocation: "localStorage"
            }
    , graphScope: {
            scopes: ["https://graph.microsoft.com/User.Read", "https://graph.microsoft.com/Mail.Send" ]
            }
    , appScope: {
            scopes: ["obfuscated"]
            }
};

axios.interceptors.request.use(async function (options) {

    var scope = window.msalConfig.appScope;     //based on where the request is going, will need to decide what token to get.
    var tokenType = "AuthToken";                //this probably ins't needed after rewriting all existing jquery.ajax hooks
    if (options.url.includes("microsoft")) {
        scope = window.msalConfig.graphScope;
        tokenType = "GraphToken";               //this probably ins't needed after rewriting all existing jquery.ajax hooks
    }

    self.Loading({ State: true, Title: "Working on it..." });

    options.headers['Authorization'] = "Bearer " + await tokenSilent(tokenType, scope);

    return options;
}, function (error) {
    console.log('Axios Request Error: ', error);
    return promise.reject(error);
});


          async function tokenSilent(tokenType, scope) {
            console.log('Axios Request VERBOS: main.js.tokenSilent');
            return await clientApplication.acquireTokenSilent(scope)
                .then(async function (token) {
                    Cookies.set(tokenType, token.accessToken); // "Bearer " +
                    self.LoginID(token.account.userName);
                    return token.accessToken;
                }, async function (error) {
                    return await tokenPopup(scope);
                    console.log(error);
                });
        };

        async function tokenPopup(tokenType, scope) {
            console.log('Axios Request VERBOS: main.js.tokenPopup');
            return await clientApplication.acquireTokenPopup(scope)
                .then(async function (token) {
                    Cookies.set(tokenType, token.accessToken); //"Bearer " +
                    self.LoginID(token.account.userName);
                    return token.accessToken;
                }, async function (error) {
                    return await loginPopup(scope);
                    console.log(error);
                });
        };

        async function loginPopup(tokenType, scope) {
            console.log('Axios Request VERBOS: main.js.loginPopup');
            window.location.hash = "/auth";
        };

有没有办法延长我的企业应用程序的令牌生命周期,或者我的代码错误并且没有获得刷新的令牌?

标签: javascriptaxiosazure-active-directorymsal.js

解决方案

您可以延长企业应用程序的令牌生命周期价值。我们使用根据文档手动连接到 Azure AD 在 PowerShell 上创建策略

​ 现在我们可以使用 CA 策略来延长或更改应用程序的令牌生命周期值。请参考文档。​</p>

推荐阅读