问题
I recently changed from windows authentication to Azure AD using roughly the "out of the box" code;
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseKentorOwinCookieSaver();
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = Authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
AuthorizationCodeReceived = (context) =>
{
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
//AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
AuthenticationContext authContext = new AuthenticationContext(Authority);
return authContext.AcquireTokenByAuthorizationCodeAsync(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
}
}
});
}
Our users have started to get intermittent 404 errors when trying to submit certain forms. I think I have managed to recreate the issue by deleting cookies, so I suspect it's tied to when the session naturally times out.
If I look at the flow with a HTTP GET request it looks like;
- HTTP GET https://myappurl/page?param1=value¶m2=value
- HTTP 302 response with redirect to https://login.microsoftonline.com (including various params; state, client_id etc)
- HTTP 200 response (not quite sure how/why it then knows to redirect)
- HTTP GET https://myappurl/
- HTTP 302 response with redirect to original URL https://myappurl/page?param1=value¶m2=value
- HTTP GET https://myappurl/page?param1=value¶m2=value
- HTTP 200 response
Everything works a treat...
For a HTTP POST however;
- HTTP POST to https://myappurl/another_page
- HTTP 302 response with redirect to https://login.microsoftonline.com (including various params; state, client_id etc)
- HTTP 200 response (not quite sure how/why it then knows to redirect)
- HTTP GET https://myappurl/
- HTTP 302 response with redirect to original URL https://myappurl/another_page
- HTTP GET https://myappurl/another_page
- HTTP 404 response
Fails because the endpoint only accepts HTTP POST requests.
Any idea if/how I can fix this? I would have thought the built in state tracking or whatever it is doing would store the original request and continue where it left off regardless...
回答1:
It looks like you are not using the token cache. What this means is that a user's session will expire after about an hour after they sign into the application.
To address this issue you should use AcquireTokenSilentAsync whenever the application needs an access token. This method will automatically refresh the token for you using it's In Memory cache. For more details see https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/AcquireTokenSilentAsync-using-a-cached-token
来源:https://stackoverflow.com/questions/59636308/azure-ad-authentication-breaking-http-post-actions-when-session-times-out