问题
I've got a proof of concept W8.1-app that allows to authenticate a user with an Azure Active Directory using the ADAL library.
I've got the part of allowing the user to log in and accessing my resources working. However, it should be able to allow the user to log out, and allow another user to log in on the same device.
I've found other questions, on SO and elsewhere, regarding a similar question, but on IOS or in a WPF-app. There, they suggested calling the <AuthenticationContext>.TokenCache.Clear() and clearing the cookies by the using the following call:
private void ClearCookies()
{
const int INTERNET_OPTION_END_BROWSER_SESSION = 42;
InternetSetOption(IntPtr.Zero, INTERNET_OPTION_END_BROWSER_SESSION, IntPtr.Zero, 0);
}
[DllImport("wininet.dll", SetLastError = true)]
private static extern bool InternetSetOption(IntPtr hInternet, int dwOption, IntPtr lpBuffer, int lpdwBufferLength);
Neither works (not even when used together). When calling
AuthenticationResult ar = await authContext.AcquireTokenAsync("https://xxx", "yyyy", new Uri("ms-app://callback/")
, new AuthorizationParameters(PromptBehavior.Auto, true));
If I use PromptBehavior.Always, the user must indeed always authenticate himself, but it doesn't use the cache then.
Any ideas on how I can invalidate the tokencache?
Thanks in advance
Edit: Solved
Thanks to vibronet, I was able to succesfully log the user out by doing this:
authContext.TokenCache.Clear();
string requestUrl = "https://login.windows.net/common/oauth2/logout";
Task.Run(async () =>
{
var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
var response = await client.SendAsync(request);
});
Edit2
You can also use the url specific for your application/tenant by replacing "common" with your tenant's alias, like so:
string tenantAlias = "TenantAlias.onmicrosoft.com";
string requestUrl = string.Format("https://login.windows.net/{0}/oauth2/logout", tenantAlias);
回答1:
The actual user session is determined by two different components: the token cache (under ADAL's control) and any session tracking cookies that might be present in the system (not under ADAL's control).
As you point out, you can easily take care of the token cache part. However the logic you mentioned for clearing up cookies will NOT work on Windows Store applications. It works on WPF because for desktop apps, the cookie jar used during authentication is the one of the application itself. On Windows Store, authentication takes pace with the WebAuthenticationBroker, which has its own cookie jar that is separate and unreachable from your application code.
The most robust approach there is not to create any persistent cookie (e.g. NOT clicking "remember me" during authentication). However, if you end up with such a cookie, the main way of getting rid of it is triggering a sign out from the same WebAuthenticationBroker - the server will take care of cleaning things up. In terms of code:
string requestUrl = "https://login.windows.net/common/oauth2/logout";
Task.Run(async () =>
{
try
{
await WebAuthenticationBroker.AuthenticateAsync(WebAuthenticationOptions.SilentMode, new Uri(requestUrl));
}
catch (Exception)
{
// timeout. That's expected
}
});
来源:https://stackoverflow.com/questions/27061948/adal-w8-1-app-trying-to-log-user-out