Azure Active Directory 令牌 + 刷新令牌

Question

我正在使用 Active Directory 让用户访问我们的应用程序（我已经创建了一个应用程序并在 AD 中注册了它），但无法从令牌响应中获取刷新令牌。

在 Startup.cs 中，我定义了 Open Id 连接选项：

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            SlidingExpiration = true
        });

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = ApiConstants.AAD_WebClientId,
                Authority = Authority,
                TokenValidationParameters = new TokenValidationParameters { SaveSigninToken = true,  },
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    RedirectToIdentityProvider = context =>
                    {
                        if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
                        {
                            // ensure https before redirecting to Azure
                            if (!context.Request.IsSecure)
                            {
                                context.Response.Redirect(
                                    $"https://{context.Request.Uri.Authority}{context.Request.Uri.AbsolutePath}");
                                context.HandleResponse();
                                return Task.FromResult(0);
                            }
                        }

                        return Task.FromResult(0);
                    },

                    // If there is a code in the OpenID Connect response, 
                    // redeem it for an access token and refresh token, and store those away.
                    AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                    AuthenticationFailed = OnAuthenticationFailed
                }
            });

我的 OnAuthorizationCodeReceived 方法是：

private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
    {
        var code = context.Code;

        ClientCredential credential = new ClientCredential(ApiConstants.AAD_WebClientId, ApiConstants.AAD_CertWeb);
        AuthenticationContext authContext = new AuthenticationContext(Authority);

        // If you create the redirectUri this way, it will contain a trailing slash.  
        // Make sure you've registered the same exact Uri in the Azure Portal (including the slash).
        var builder = new UriBuilder(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
        builder.Scheme = "https";
        if (builder.Uri.IsDefaultPort)
        {
            builder.Port = -1;
        }
        //n.AuthenticationTicket.Properties.RedirectUri = builder.ToString();

        // this doesn't return a refresh token???
        AuthenticationResult result =
            await
                authContext.AcquireTokenByAuthorizationCodeAsync(code, builder.Uri, credential,
                    ApiConstants.AAD_Audience);
    }

问题是，返回的令牌没有刷新令牌，也没有滑动，所以我们每小时都会被注销。我可以在 Active Directory 或我的应用中做些什么来打开/接收刷新令牌吗？

或者是我收到了刷新令牌，但 AuthenticationResult 类没有将此属性公开给我？

Answer 1

在调查同一问题时偶然发现了这一点。

如果您使用 Fiddler 之类的工具监控网络流量，您会看到 refresh_token 确实返回了，只是没有暴露。

以下链接提供了更多信息。

http://www.cloudidentity.com/blog/2015/08/13/adal-3-didnt-return-refresh-tokens-for-5-months-and-nobody-noticed/