我有一个 Blazor 网站,通过 Entra 使用 MFA 腰部,它工作正常,但不起作用的是会话时间。 1 小时后,会话结束,用户被注销并强制重新登录。是否有办法设置会话长度?我已经用谷歌搜索自己试图找到这个问题的答案。
下面是我迄今为止在program.cs中的代码,其中一些现在很可能是多余的,因为我一直在添加一些位来进行测试,看看是否有任何东西可以工作!我想如果会话在 10 秒后结束,就像我试图在下面实现的那样,我知道我找到了一个成功的解决方案,但它不起作用。
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.ResponseCompression;
using Microsoft.EntityFrameworkCore;
using Microsoft.Identity.Web;
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
.AddDistributedTokenCaches()
.AddSessionTokenCaches();
builder.Services.AddDistributedMemoryCache();
builder.Services.ConfigureApplicationCookie(x => {
x.ExpireTimeSpan = TimeSpan.FromSeconds(10);
//x.SlidingExpiration = true;
});
builder.Services.AddControllersWithViews();
builder.Services.AddRazorPages();
builder.Services.AddControllers().AddNewtonsoftJson(x => x.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore);
builder.Services.AddDbContext<DB>(x =>
x.UseSqlServer(builder.Configuration.GetConnectionString("DB"))
.UseQueryTrackingBehavior(QueryTrackingBehavior.NoTracking));
builder.Services.AddMvc().AddSessionStateTempDataProvider();
builder.Services.AddSession(x => {
x.Cookie.Expiration = TimeSpan.FromSeconds(10);
x.IdleTimeout = TimeSpan.FromSeconds(10);
});
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment()) {
app.UseWebAssemblyDebugging();
} else {
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseBlazorFrameworkFiles();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.MapRazorPages();
app.MapControllers();
app.MapFallbackToFile("index.html");
app.Run();
根据文档,有一个
Access Token Lifetime
属性,它影响访问令牌、ID令牌、SAML2令牌,默认为1小时。请注意,正如文档所述,存在限制:
您可以指定 Microsoft 身份平台颁发的访问、ID 或 SAML 令牌的生命周期。您可以为组织中的所有应用程序、多租户(多组织)应用程序或服务主体设置令牌生命周期。我们目前不支持为托管身份服务主体配置令牌生命周期。
此页面提供有关如何定义/更改生命周期策略的信息:https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes
它给出了这个示例代码:
Install-Module Microsoft.Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration","Policy.Read.All","Application.ReadWrite.All"
# Create a token lifetime policy
$params = @{
Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"4:00:00"}}')
DisplayName = "WebPolicyScenario"
IsOrganizationDefault = $false
}
$tokenLifetimePolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id
# Display the policy
Get-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId
# Assign the token lifetime policy to an app
$params = @{
"@odata.id" = "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/$tokenLifetimePolicyId"
}
$applicationObjectId="aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"
New-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -BodyParameter $params
# List the token lifetime policy on the app
Get-MgApplicationTokenLifetimePolicy -ApplicationId $applicationObjectId
# Remove the policy from the app
Remove-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -TokenLifetimePolicyId $tokenLifetimePolicyId
# Delete the policy
Remove-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId
特别请参阅代码中的
AccessTokenLifetime
属性。