search

Azure-Samples / active-directory-dotnet-webapp-webapi-multitenant-openidconnect

A sample .NET 4.5 MVC SaaS web app that signs-up and signs-in users from any Azure AD tenant, and calls the Azure AD Graph API.
66 stars 45 forks source link

Multiple WebApps token cache issue #8

Closed sergsalo closed 10 years ago

sergsalo commented 10 years ago

Not sure where to submit the question about the use of token cache, so decided to put it here. Using this sample I have next scenario: two web apps (same as sample code). Both apps use same token cache persistent store. I start the first web app and am able to authenticate, acquire tokens for graph API resource, all is good. I start the second app in the same browser window - new tab. As the result - app does not go through the normal path of authentication notifications (I never reach AuthorizationCodeReceived because I am already logged in). Now in the second app when I try to use AcquireTokenSilent to acquire a token for graph API - it fails. Error states that I need to use AcquireToken. The issue is as I understand that clientID (app client id) for the second app is different from what is in token cache (first app's ClientID) and as the result I cannot acquire a token in second app. What it the a correct way of using token cache to handle this scenario (two webapps, same tenant, same user, both are trying to query graph API)

sergsalo commented 10 years ago

One way I think about is to store tokens by userId, clientId in DB. Then add one more layer of OWIN middleware after OpenIdConnect and checking whether the token cache contains tokens for this user and client ID. If not - trigger 401 which then will trigger OpenIdConnect reauthentication, and then I will be able to receive AuthorizationCode. thoughts?

skwan commented 10 years ago

Two apps with different client IDs can't share the same refresh tokens. If a refresh token is obtained by app with client ID X, then app with client ID Y cannot use that refresh token to get a new access token. Azure AD will forbid that.

If these are two different apps with different client IDs, then each needs to have its own set of refresh tokens. The experience for the user can still be seamless, and the storage for the tokens could be shared. Because AAD will provide single sign on between the apps, when a user navigates from one to the other, the apps will be able to obtain tokens under the covers without extra user prompts.

sergsalo commented 10 years ago

this question was for RC branch. So, having two webapps - what is the right way to acquire a token for GraphAPI in the second app, where it didn't go through AcquireTokenByAuthorizationCode? Query the tokencache for token for that resource? Or use AcquireTokenSilent? I was using:

var authContext = new AuthenticationContext(authority, tokenCache); var result = authContext.AcquireTokenSilent(resource, clientcred, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId)); (same as Vittorio in sample app)

To AcquireTokenSilent in the second app I provided clientcred (ClientId, ClientSecret for that second app) which obviously fails.

sergsalo commented 10 years ago

The issue is reproducible when both webapps are running locally. Once the apps are published as websites - I don't see the issue anymore