如何强制用户对 MSAL angular 使用双因素身份验证?
how can I force users to use two factor authentication with MSAL angular?
我正在尝试使用 msal-angular 实现双因素登录,我想强制用户使用双因素身份验证,最好是 Authenticator App。
到目前为止,我只是设法按照用户只需要输入密码的方式进行配置。
我的设置:
const isIE = window.navigator.userAgent.indexOf('MSIE ') > -1 || window.navigator.userAgent.indexOf('Trident/') > -1;
export const protectedResourceMap: [string, string[]][] = [
['https://graph.microsoft.com/v1.0/me', ['user.read']]
];
@NgModule({
imports: [
CommonModule,
MsalModule.forRoot({
auth: {
clientId: '*******',
authority: 'https://login.microsoftonline.com/*****/',
validateAuthority: true,
redirectUri: 'http://localhost:4200/',
postLogoutRedirectUri: 'http://localhost:4200/',
navigateToLoginRequestUrl: true,
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: isIE, // set to true for IE 11
},
},
{
popUp: !isIE,
consentScopes: [
'user.read',
'openid',
'profile',
'api://**********/access_as_user'
],
unprotectedResources: ['https://www.microsoft.com/en-us/'],
protectedResourceMap,
extraQueryParameters: {}
}
)
],
declarations: [
],
providers: [
MsalLoginService,
{
provide: HTTP_INTERCEPTORS,
useClass: MsalInterceptor,
multi: true
}
]
})
export class MsalLoginModule { }
由于 angular 版本,我使用 msal-angilar@1.1.2
这是我的代码:
@Injectable({
providedIn: 'root'
})
export class MsalLoginService {
loginDisplay = false;
constructor(
private broadcastService: BroadcastService,
private authService: MsalService
) {
this.checkoutAccount();
this.authService.handleRedirectCallback((authError, response) => {
if (authError) {
console.error('Redirect Error: ', authError.errorMessage);
return;
}
console.log('Redirect Success: ', response);
});
this.authService.setLogger(new Logger((logLevel, message, piiEnabled) => {
console.log('MSAL Logging: ', message);
}, {
correlationId: CryptoUtils.createNewGuid(),
piiLoggingEnabled: false
}));
}
checkoutAccount() {
this.loginDisplay = !!this.authService.getAccount();
}
loginPopup(): Observable<any> {
return new Observable((subscriber) => {
this.authService.loginPopup({ scopes: ['user.read'], prompt: 'select_account' }).then(res => {
this.authService.acquireTokenSilent({ scopes: ['user.read'] }).then((response: any) => {
// send token for validation on server
subscriber.next(response);
}).catch(ex => subscriber.error(ex));
}).catch(ex => subscriber.error(ex));
});
}
logout() {
this.authService.logout();
}
}
以防万一,虽然我认为问题出在 Azure 中。
编辑:
有多种方法可以通过 Azure 门户强制进行多因素登录,但其中大部分只能通过 paid/trial 帐户
可见
是的,您可以强制用户使用 MSAL angular 的双因素身份验证。你的 angular configuration is looking OK. Now you need to recheck your azure configurations. You can configure your settings here.
我正在尝试使用 msal-angular 实现双因素登录,我想强制用户使用双因素身份验证,最好是 Authenticator App。
到目前为止,我只是设法按照用户只需要输入密码的方式进行配置。
我的设置:
const isIE = window.navigator.userAgent.indexOf('MSIE ') > -1 || window.navigator.userAgent.indexOf('Trident/') > -1;
export const protectedResourceMap: [string, string[]][] = [
['https://graph.microsoft.com/v1.0/me', ['user.read']]
];
@NgModule({
imports: [
CommonModule,
MsalModule.forRoot({
auth: {
clientId: '*******',
authority: 'https://login.microsoftonline.com/*****/',
validateAuthority: true,
redirectUri: 'http://localhost:4200/',
postLogoutRedirectUri: 'http://localhost:4200/',
navigateToLoginRequestUrl: true,
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: isIE, // set to true for IE 11
},
},
{
popUp: !isIE,
consentScopes: [
'user.read',
'openid',
'profile',
'api://**********/access_as_user'
],
unprotectedResources: ['https://www.microsoft.com/en-us/'],
protectedResourceMap,
extraQueryParameters: {}
}
)
],
declarations: [
],
providers: [
MsalLoginService,
{
provide: HTTP_INTERCEPTORS,
useClass: MsalInterceptor,
multi: true
}
]
})
export class MsalLoginModule { }
由于 angular 版本,我使用 msal-angilar@1.1.2 这是我的代码:
@Injectable({
providedIn: 'root'
})
export class MsalLoginService {
loginDisplay = false;
constructor(
private broadcastService: BroadcastService,
private authService: MsalService
) {
this.checkoutAccount();
this.authService.handleRedirectCallback((authError, response) => {
if (authError) {
console.error('Redirect Error: ', authError.errorMessage);
return;
}
console.log('Redirect Success: ', response);
});
this.authService.setLogger(new Logger((logLevel, message, piiEnabled) => {
console.log('MSAL Logging: ', message);
}, {
correlationId: CryptoUtils.createNewGuid(),
piiLoggingEnabled: false
}));
}
checkoutAccount() {
this.loginDisplay = !!this.authService.getAccount();
}
loginPopup(): Observable<any> {
return new Observable((subscriber) => {
this.authService.loginPopup({ scopes: ['user.read'], prompt: 'select_account' }).then(res => {
this.authService.acquireTokenSilent({ scopes: ['user.read'] }).then((response: any) => {
// send token for validation on server
subscriber.next(response);
}).catch(ex => subscriber.error(ex));
}).catch(ex => subscriber.error(ex));
});
}
logout() {
this.authService.logout();
}
}
以防万一,虽然我认为问题出在 Azure 中。
编辑: 有多种方法可以通过 Azure 门户强制进行多因素登录,但其中大部分只能通过 paid/trial 帐户
可见是的,您可以强制用户使用 MSAL angular 的双因素身份验证。你的 angular configuration is looking OK. Now you need to recheck your azure configurations. You can configure your settings here.