0
如何配置OWIN以验证使用node-adal从Azure AD收集到的accesstoken请求?如何使用node-adal和OWIN配置Azure AD OAuth2?
启动以下类:
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new []
{
ConfigurationManager.AppSettings["ida:ClientId"] // AAD clientid from registered application
},
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(
ConfigurationManager.AppSettings["ida:Issuer"], // https://sts.windows.net/<tenantid-guid>/ retrieved from AAD federationmetadata.xml
TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]) // AAD secret from registered application
)
}
});
从节点阿达尔以下令牌响应: implementation described here
{
tokenType: "Bearer",
expiresIn: 3599,
expiresOn: "2016-10-19T13:49:47.649Z",
resource: "spn:00000002-0000-0000-c000-000000000000",
accessToken: "removed for brevity",
refreshToken: "removed for brevity",
userId: "[email protected]",
isUserIdDisplayable: true,
familyName: "familyName",
givenName: "givenName",
identityProvider: "live.com",
oid: "oid-guid",
tenantId: "tenantid-guid"
}
的accesstoken
从上述节点阿达尔响应是使用
Authorization: Bearer accesstoken-here
使用的[Authorize]
属性返回
{"message":"Authorization has been denied for this request."}
编辑展现给新老办法的,旧作担保终点 - 新的不
// this is new version (using clientsecret, aka AD web app)
var issuer = ConfigurationManager.AppSettings["ida:Issuer"];
var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = OAuthDefaults.AuthenticationType,
Provider = new OAuthBearerAuthenticationProvider(),
AccessTokenFormat = new JwtFormat(
new[] { ConfigurationManager.AppSettings["ida:ClientId"] },
new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) }
)
});
// this is old version (not using clientsecret, aka AD native app), this works but all my code is in the Angular Single Page app, I am trying to move the auth code into the node server to secure all access
app.UseWindowsAzureActiveDirectoryBearerAuthentication(new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = new[]
{
ConfigurationManager.AppSettings["ida:AudienceImplicit"],
ConfigurationManager.AppSettings["ida:AudienceDaemon"]
}
}
});
我的理解是,这种方法是为隐式OAuth流程,我已经工作,但现在想要使用ID和秘密,而隐式OAuth不需要秘密。同样,node-adal没有支持隐式OAuth流的代码。 – click2install
您选择用来验证令牌的中间件不应取决于令牌的需求。 – dstrockis
好的,所以我尝试了您建议的方法,该方法以前也适用于隐式OAuth授权流程。我从解码后的令牌中撤回了观众,它仍然显示出401。我是否可以在不包含克隆源的情况下调试中间件的内部? – click2install