刷新后收到的Azure AD Adal4j令牌未签名

Question

我正在使用Azure AD OpenID连接框架为我的基于web的java应用程序开发身份验证服务。我指的是adal4j-1.2.0.jar，身份验证是根据行为进行的。我正在获取JWT声明，并能够验证它。

但是，当发生60分钟的会话超时时，当我尝试使用刷新令牌获取新的令牌声明时，新的令牌不是经过签名的JWT。他们是Plain JWT。

我正在使用下面的调用来使用我缓存的初始刷新令牌来获取令牌。

acquireTokenByRrefreshToken(refreshtoken, credential,null,null)

为了验证令牌，我使用如下代码

IDtokenValidator validator =  new IDTokenValidator(issuer,clientID, JWSAlgo,URL)
validator.validate(idToken, exoectedNoounce); //this line throws badjwtexception signed ID token expected

是否有人可以帮助我了解如何兑换刷新令牌以获得新的签名令牌。或者在兑换令牌之后，新的令牌始终是Plain JWT。

Answer 1

我相信，您正在使用隐式授权流程来获取token.You正在从授权端获取令牌的流程，您将不会获得刷新token.Either您需要在会话到期后获得新的令牌或创建一个隐藏的框架，可以在会话到期之前获取令牌。

Answer 2

您可以参考official doc来获取access token和refresh token by code grant flow。

实际上，adal4j中的方法是通过HTTP REST API实现的，因此您可以参考下面的代码来请求AuthorizationCode。

public static void getAuthorizationCode() throws IOException {

        String encoding = "UTF-8";
        String params = "client_id=" + clientId 
                + "&response_type=" + reponseType
                + "&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F"
                + "&response_mode=query"
                + "&resource=https%3A%2F%2Fgraph.windows.net"
                + "&state=12345";
        String path = "https://login.microsoftonline.com/" + tenantId + "/oauth2/authorize";
        byte[] data = params.getBytes(encoding);
        URL url = new URL(path);
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
        conn.setRequestMethod("POST");
        conn.setDoOutput(true);
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("Content-Length", String.valueOf(data.length));
        conn.setConnectTimeout(5 * 1000);
        OutputStream outStream = conn.getOutputStream();
        outStream.write(data);
        outStream.flush();
        outStream.close();
        System.out.println(conn.getResponseCode());
        System.out.println(conn.getResponseMessage());

        BufferedReader br = null;
        if (conn.getResponseCode() != 200) {
            br = new BufferedReader(new InputStreamReader((conn.getErrorStream())));
        } else {
            br = new BufferedReader(new InputStreamReader((conn.getInputStream())));
        }
        System.out.println("Response body : " + br.readLine());
    }

然后，您可以使用获得的AuthorizationCode获取access token，并使用以下代码获取刷新代码。

public static void getToken(String refreshToken) throws IOException {

        String encoding = "UTF-8";
        String params = "client_id=" + clientId + "&refresh_token=" + refreshToken
                + "&grant_type=refresh_token&resource=https%3A%2F%2Fgraph.windows.net";
        String path = "https://login.microsoftonline.com/" + tenantId + "/oauth2/token";
        byte[] data = params.getBytes(encoding);
        URL url = new URL(path);
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
        conn.setRequestMethod("POST");
        conn.setDoOutput(true);
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("Content-Length", String.valueOf(data.length));
        conn.setConnectTimeout(5 * 1000);
        OutputStream outStream = conn.getOutputStream();
        outStream.write(data);
        outStream.flush();
        outStream.close();
        System.out.println(conn.getResponseCode());
        System.out.println(conn.getResponseMessage());

        BufferedReader br = null;
        if (conn.getResponseCode() != 200) {
            br = new BufferedReader(new InputStreamReader((conn.getErrorStream())));
        } else {
            br = new BufferedReader(new InputStreamReader((conn.getInputStream())));
        }
        System.out.println("Response body : " + br.readLine());
    }

希望能对你有所帮助。