背景:msal auzer token 过期时间微软默认事60至90分钟,普遍取中间值,现渗透测试部分(Qtester)要求30分token 过期。且不可使用msal的安全机制。
解决方案:‘
后端,解析token 获取发证时间? iat或nbf计算token 过期时间
msal token 都是提前生产好的。为了解决高并发,所以这里获取的token 大概事5分钟前生成的。
前端,前置刷新token ,我在官网找了半天也没找到。还是在源码找到的
刷新token 的 api【?acquireTokenSilent】
源码:
1、点击acquireTokenSilent进入如图代码
再点击SilentRequest
import { AccountInfo, CommonSilentFlowRequest, StringDict } from "@azure/msal-common";
import { CacheLookupPolicy } from "../utils/BrowserConstants";
/**
* SilentRequest: Request object passed by user to retrieve tokens from the
* cache, renew an expired token with a refresh token, or retrieve a code (first leg of authorization code grant flow)
* in a hidden iframe.
*
* - scopes - Array of scopes the application is requesting access to.
* - authority - Url of the authority which the application acquires tokens from.
* - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
* - account - Account entity to lookup the credentials.
* - forceRefresh - Forces silent requests to make network calls if true.
* - extraQueryParameters - String to string map of custom query parameters added to the /authorize call. Only used when renewing the refresh token.
* - tokenQueryParameters - String to string map of custom query parameters added to the /token call. Only used when renewing access tokens.
* - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. Only used for cases where refresh token is expired.
* - cacheLookupPolicy - Enum of different ways the silent token can be retrieved.
* - prompt - Indicates the type of user interaction that is required.
* none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
* no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY.
*/
export declare type SilentRequest = Omit<CommonSilentFlowRequest, "authority" | "correlationId" | "forceRefresh" | "account" | "requestedClaimsHash"> & {
redirectUri?: string;
extraQueryParameters?: StringDict;
authority?: string;
account?: AccountInfo;
correlationId?: string;
forceRefresh?: boolean;
cacheLookupPolicy?: CacheLookupPolicy;
prompt?: string;
};
//# sourceMappingURL=SilentRequest.d.ts.map
实现代码
export const onAcquireTokenSilent = async (dispatch,userInfo) => {
// 通过用户名获取用户信息
const account = msalInstance.getAccountByUsername(userInfo?.username);
const accessTokenRequest = {
scopes: [process.env.SCOPE],
account: account,
forceRefresh :true // - forceRefresh - Forces silent requests to make network calls if true.
};
// 有了用户信息可以获取token
const accessTokenResponse = await msalInstance.acquireTokenSilent(accessTokenRequest);
if(accessTokenResponse && accessTokenResponse?.accessToken){
const accessToken = accessTokenResponse.accessToken;
return accessToken;
}
};
这样就实现强制刷新。。?