如何使用 node-adal 和 OWIN 配置 Azure AD OAuth2?
How to configure Azure AD OAuth2 using node-adal and OWIN?
如何配置 OWIN 以验证使用 node-adal 从 Azure AD 收集的访问令牌请求?
下面启动class:
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new []
{
ConfigurationManager.AppSettings["ida:ClientId"] // AAD clientid from registered application
},
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(
ConfigurationManager.AppSettings["ida:Issuer"], // https://sts.windows.net/<tenantid-guid>/ retrieved from AAD federationmetadata.xml
TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]) // AAD secret from registered application
)
}
});
来自以下 node-adal 的令牌响应:
implementation described here
{
tokenType: "Bearer",
expiresIn: 3599,
expiresOn: "2016-10-19T13:49:47.649Z",
resource: "spn:00000002-0000-0000-c000-000000000000",
accessToken: "removed for brevity",
refreshToken: "removed for brevity",
userId: "user@domain.com",
isUserIdDisplayable: true,
familyName: "familyName",
givenName: "givenName",
identityProvider: "live.com",
oid: "oid-guid",
tenantId: "tenantid-guid"
}
上述节点响应中的 accesstoken 使用
发送
Authorization: Bearer accesstoken-here
使用 [Authorize] 属性 returns
到安全端点
{"message":"Authorization has been denied for this request."}
编辑以显示新旧方法,旧作品 - 新作品没有
// this is new version (using clientsecret, aka AD web app)
var issuer = ConfigurationManager.AppSettings["ida:Issuer"];
var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = OAuthDefaults.AuthenticationType,
Provider = new OAuthBearerAuthenticationProvider(),
AccessTokenFormat = new JwtFormat(
new[] { ConfigurationManager.AppSettings["ida:ClientId"] },
new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) }
)
});
// this is old version (not using clientsecret, aka AD native app), this works but all my code is in the Angular Single Page app, I am trying to move the auth code into the node server to secure all access
app.UseWindowsAzureActiveDirectoryBearerAuthentication(new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = new[]
{
ConfigurationManager.AppSettings["ida:AudienceImplicit"],
ConfigurationManager.AppSettings["ida:AudienceDaemon"]
}
}
});
我们有一个特定的 OWIN 中间件用于验证来自 Azure AD 的令牌:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
}
);
查看 aka 的 .NET 示例。ms/aaddev 以获得更全面的指导。
如何配置 OWIN 以验证使用 node-adal 从 Azure AD 收集的访问令牌请求?
下面启动class:
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new []
{
ConfigurationManager.AppSettings["ida:ClientId"] // AAD clientid from registered application
},
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(
ConfigurationManager.AppSettings["ida:Issuer"], // https://sts.windows.net/<tenantid-guid>/ retrieved from AAD federationmetadata.xml
TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]) // AAD secret from registered application
)
}
});
来自以下 node-adal 的令牌响应: implementation described here
{
tokenType: "Bearer",
expiresIn: 3599,
expiresOn: "2016-10-19T13:49:47.649Z",
resource: "spn:00000002-0000-0000-c000-000000000000",
accessToken: "removed for brevity",
refreshToken: "removed for brevity",
userId: "user@domain.com",
isUserIdDisplayable: true,
familyName: "familyName",
givenName: "givenName",
identityProvider: "live.com",
oid: "oid-guid",
tenantId: "tenantid-guid"
}
上述节点响应中的 accesstoken 使用
Authorization: Bearer accesstoken-here
使用 [Authorize] 属性 returns
{"message":"Authorization has been denied for this request."}
编辑以显示新旧方法,旧作品 - 新作品没有
// this is new version (using clientsecret, aka AD web app)
var issuer = ConfigurationManager.AppSettings["ida:Issuer"];
var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = OAuthDefaults.AuthenticationType,
Provider = new OAuthBearerAuthenticationProvider(),
AccessTokenFormat = new JwtFormat(
new[] { ConfigurationManager.AppSettings["ida:ClientId"] },
new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) }
)
});
// this is old version (not using clientsecret, aka AD native app), this works but all my code is in the Angular Single Page app, I am trying to move the auth code into the node server to secure all access
app.UseWindowsAzureActiveDirectoryBearerAuthentication(new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = new[]
{
ConfigurationManager.AppSettings["ida:AudienceImplicit"],
ConfigurationManager.AppSettings["ida:AudienceDaemon"]
}
}
});
我们有一个特定的 OWIN 中间件用于验证来自 Azure AD 的令牌:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
}
);
查看 aka 的 .NET 示例。ms/aaddev 以获得更全面的指导。