I'm using the adal-angular5 v1.0.36 client library to authenticate my web application to Azure Active Directory.
The thing is that my session lasts 1 hour (the default expiration time) and I'd like to "renew" it silently for the user once it has expired; i.e. without having to ask the user for the credentials again or logging out and then login again (which would cause work loss for the user).
Is this possible to achieve?
As long as the user have an active session with Azure AD, ADAL JS does it automatically for you. ADAL JS examines the projected expiration of the existing token (in the cache) and if the token is about to expire, it uses an invisible iFrame to send a new token (renewal) request to Azure AD.
Please choose MSAL over ADAL and here is the sample for angular using MSAL.
Please refer the link for migration of ADAL to MSAL
Related
I have set up an AAD SSO enabled website A that gets an access token once the user logs in. Now, the user has the option to navigate to website B, but on a new browser that doesn't have access to the session of the browser that website A was opened.
Is there a way for website B (.NET MVC Azure hosted Web App) to be setup to accept the access token (for example: through headers) to authenticate the user and establish a newly AAD SSO logged in user on the new browser? (Users can't re-enter their credentials)
In my opinion, access tokens enable clients to securely call protected APIs, so it should be stored in backend. More often we use refresh token and access token at the same time to prevent the access token expiring.
On the other hand, if I have entered the credentials in one browser, then the identity platform knew the request came from me because some information would stored in my cookie of the website, but if I used another browser to visit IDP, it was impossible to let IDP know the request came from me, because I can't share cookie infomation with different browsers.
I find 2 videos on introducing SSO, I think they will help, here is the link.
Hope it will do some help.
I have set up an Azure Active Directory tenant with direct federation to Google. Next to that I have a .NET core web application using the OIDC code flow for getting both id_tokens and access and refresh tokens. The access token is used to call my API which is working fine.
Now the problem is whenever I use my refresh_token to get a new access_token I receive a new access_token, but no refresh_token. So I can only refresh once.
I only have this issue when authenticating with my Google account using direct federation. When I authenticate using a tenant native account I can refresh unlimited.
We have two multitenant Azure AD app registrations as described here. One for our single page application and one for our API. In our single page application backend we use the OpenIdConnect middleware to authenticate against Azure AD. Note that we are not using the common endpoint, but the tenant specific endpoint because otherwise direct federation does not work. We can reproduce this issue by intercepting the refresh token in the OnTokenResponseReceived event of the OIDC middleware and initiating the refresh flow as stated here (by using Postman for instance). The response is successful, but does only contain an access token, no refresh token.
Is this behavior by design?
Im able to login to my angularjs app using the angular adal library
I can get a token and verify this token. My question is the following:
If i signout, should the token get revoked automatically? If not, how do i do so?
Currently Azure Active Directory does not support or provide an endpoint for an application to revoke the access/refresh tokens.
You may read more about configurable token lifetimes in Azure Active Directory to check the policies on token lifetimes and adjust that base on your requirement .
There is a sample logout code that you may be able to integrate as a workaround.
See: Can Azure AD ADAL (ios) refresh token be revoked from the client?
We are trying to do silent SSO in my application. We use adal-angular.js library for user sign in. The scenario is, If user sign in office 365 account, and open my application, user doesn't have to login in our application. but if user sign in office 365 and our application token expire after 1 hour user logout unexpectedly. Don't know how to handle this. We require that user should depend on office 365 or Microsoft account login/logout.
If user have an active session with Azure AD, ADAL JS does get renew token after token expire automatically (unexpected logout will not happen). ADAL JS examines the projected expiration of the existing token (in the cache) and if the token is about to expire, it uses an invisible iFrame to send a new token (renewal) request to Azure AD.
This is discussed in detail here (with sample code) by Vittorio and the mechanics of silent renewal is discussed here.
Currently, the implicit grant flow URL to get access tokens from Azure AD by our SPA (native web app running in Azure VM) is of the format:
https://login.microsoftonline.com/{{tenantID}}/oauth2/authorize?response_type={{responseParams}}&client_id={{applicationID}}&redirect_uri={{redirectUri}}
Here, responseParams= id_token is the default value passed by Adal.js. What would be the changes needed to be made to this URL to get back refresh tokens from Azure AD?
The implicit grant flow does not issue refresh tokens, mostly for security reasons. A refresh token isn’t as narrowly scoped as access tokens, granting far more power hence inflicting far more damage in case it is leaked out. In the implicit flow, tokens are delivered in the URL, hence the risk of interception is higher than in the authorization code grant.
However, a JavaScript application has another mechanism at its disposal for renewing access tokens without repeatedly prompting the user for credentials. The application can use a hidden iframe to perform new token requests against the authorization endpoint of Azure AD: as long as the browser still has an active session (read: has a session cookie) against the Azure AD domain, the authentication request can successfully occur without any need for user interaction.
This model grants the JavaScript application the ability to independently renew access tokens and even acquire new ones for a new API (provided that the user previously consented for them. This avoids the added burden of acquiring, maintaining, and protecting a high value artifact such as a refresh token. The artifact that makes the silent renewal possible, the Azure AD session cookie, is managed outside of the application. Another advantage of this approach is a user can sign out from Azure AD, using any of the applications signed into Azure AD, running in any of the browser tabs. This results in the deletion of the Azure AD session cookie, and the JavaScript application will automatically lose the ability to renew tokens for the signed out user.
Reference: Understanding the OAuth2 implicit grant flow in Azure Active Directory (AD)