无法使用 passport-azure-ad 的 Bear 策略对 SPA 进行身份验证
Cannot Authenticate SPA with passport-azure-ad's Bear Strategy
所以我正在玩 Integrating Azure AD into an AngularJS single page app
本教程。
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-devquickstarts-angular-node
它是为 Azure AD v2.0 端点实现的,但不幸的是我的组织不支持 Azure AD v2.0 端点,因此我更换了 adal.js 和 adal-angular 的实验版本具有 GA adal.js 和 adal-angular 库的库。前端身份验证完美无缺。但是在我根据 passport-azure-ad 修改了后端配置之后。后端无法验证隐式授予的令牌。
我已在清单文件中将 allow implicit flow 设置为 true。我还尝试在另一个使用相同 angular 前端但 .NET 作为后端的示例中使用我的 client ID 和 Tenant Name。有效!
这是我的后端配置
exports.creds = {
// The app id you get from the registration portal
audience: 'http://localhost:8080',
clientID: '**********************************',
// Passport will use this URL to fetch the token validation information from Azure AD
identityMetadata: '************************************',
// Required.
// If you are using the common endpoint, you should either set `validateIssuer` to false, or provide a value for `issuer`.
validateIssuer: true,
// Required.
// Set to true if you use `function(req, token, done)` as the verify callback.
// Set to false if you use `function(req, token)` as the verify callback.
passReqToCallback: false,
// Required if you are using common endpoint and setting `validateIssuer` to true.
// For tenant-specific endpoint, this field is optional, we will use the issuer from the metadata by default.
issuer: '**************************************',
isB2C: false,
// Optional. Default value is false.
// Set to true if you accept access_token whose `aud` claim contains multiple values.
allowMultiAudiencesInToken: false,
// Optional. 'error', 'warn' or 'info'
loggingLevel: 'info'
};
我的服务器:
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
// Pull in the Azure AD bearer passport strategy
var OIDCBearerStrategy = require('passport-azure-ad').BearerStrategy;
// This object is used for in-memory data storage, instead of a database.
// Each time you run the server, you will get a fresh, empty list.
var tasks = [];
// Load passport and configure it to use Azure AD Bearer auth
app.use(passport.initialize());
passport.use(new OIDCBearerStrategy({
identityMetadata: config.creds.identityMetadata,
audience: config.creds.audience,
clientID: config.creds.clientID,
validateIssuer: true,
issuer: config.creds.issuer,
}, function (token, done) {
console.log("yooo");
return done(null, token, null);
}));
var router = express.Router();
router.route('/api/tasks')
.post(passport.authenticate('oauth-bearer', { session: false }), controller)
这是前端验证后我的浏览器控制台的输出:
State: **************
adal.js:973 State status:true
adal.js:973 State is right
有没有人做过类似的事情?
正如这个问题的作者在上面的评论中提到的,配置中的受众值应该是客户端 ID。
如果有人在使用 Angularjs1 + Nodejs + adal.js v1.x
时遇到困难
这是一个工作示例。只需更改 config.js 和 app.js
中的值
https://github.com/lightertu/Azure-ActiveDirectory-V1-Angularjs-Nodejs-SPA-Sample
所以我正在玩 Integrating Azure AD into an AngularJS single page app
本教程。
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-devquickstarts-angular-node
它是为 Azure AD v2.0 端点实现的,但不幸的是我的组织不支持 Azure AD v2.0 端点,因此我更换了 adal.js 和 adal-angular 的实验版本具有 GA adal.js 和 adal-angular 库的库。前端身份验证完美无缺。但是在我根据 passport-azure-ad 修改了后端配置之后。后端无法验证隐式授予的令牌。
我已在清单文件中将 allow implicit flow 设置为 true。我还尝试在另一个使用相同 angular 前端但 .NET 作为后端的示例中使用我的 client ID 和 Tenant Name。有效!
这是我的后端配置
exports.creds = {
// The app id you get from the registration portal
audience: 'http://localhost:8080',
clientID: '**********************************',
// Passport will use this URL to fetch the token validation information from Azure AD
identityMetadata: '************************************',
// Required.
// If you are using the common endpoint, you should either set `validateIssuer` to false, or provide a value for `issuer`.
validateIssuer: true,
// Required.
// Set to true if you use `function(req, token, done)` as the verify callback.
// Set to false if you use `function(req, token)` as the verify callback.
passReqToCallback: false,
// Required if you are using common endpoint and setting `validateIssuer` to true.
// For tenant-specific endpoint, this field is optional, we will use the issuer from the metadata by default.
issuer: '**************************************',
isB2C: false,
// Optional. Default value is false.
// Set to true if you accept access_token whose `aud` claim contains multiple values.
allowMultiAudiencesInToken: false,
// Optional. 'error', 'warn' or 'info'
loggingLevel: 'info'
};
我的服务器:
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
// Pull in the Azure AD bearer passport strategy
var OIDCBearerStrategy = require('passport-azure-ad').BearerStrategy;
// This object is used for in-memory data storage, instead of a database.
// Each time you run the server, you will get a fresh, empty list.
var tasks = [];
// Load passport and configure it to use Azure AD Bearer auth
app.use(passport.initialize());
passport.use(new OIDCBearerStrategy({
identityMetadata: config.creds.identityMetadata,
audience: config.creds.audience,
clientID: config.creds.clientID,
validateIssuer: true,
issuer: config.creds.issuer,
}, function (token, done) {
console.log("yooo");
return done(null, token, null);
}));
var router = express.Router();
router.route('/api/tasks')
.post(passport.authenticate('oauth-bearer', { session: false }), controller)
这是前端验证后我的浏览器控制台的输出:
State: **************
adal.js:973 State status:true
adal.js:973 State is right
有没有人做过类似的事情?
正如这个问题的作者在上面的评论中提到的,配置中的受众值应该是客户端 ID。
如果有人在使用 Angularjs1 + Nodejs + adal.js v1.x
时遇到困难这是一个工作示例。只需更改 config.js 和 app.js
中的值https://github.com/lightertu/Azure-ActiveDirectory-V1-Angularjs-Nodejs-SPA-Sample