从有角度的AD客户端获取应用程序的有效承载令牌 [英] Getting a valid bearer token for an app from a an angular AD client
问题描述
我遵循了本指南:
重要代码段-
在 App\Scripts\app.js 中,替换端点对象的属性名称到 To Go API 的新位置,在您的情况下为Workbench api网址。在App\Scripts\toGoListSvc.js中,将apiEndpoint变量替换为相同的值。
OPTION2-创建支持您的后端API基于AngularJS的SPA
AngularJS SPA调用此基于后端服务器的API,然后调用Workbench API。
在此选项中,您可以使用客户端机密并同时使用委派权限和应用程序权限。
仅当您需要使用上面显示的Workbench API的屏幕快照中显示的 Administrator 权限时,才需要此选项。
从流的角度来看,您可以直接使用来自后端API的客户端凭据授予流,如果您不需要使用用户上下文调用Workbench。如果您需要在用户上下文中致电,请使用代表流量。
由于您要遵循的博客参考仅使用委派的权限,因此我认为选项1应该不错,但是您可以根据需求进一步决定。
I have followed this guide:
https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp
and I connect successfully. I would like to send the bearer token to my C# server and use it to call my workbench(another AD app) functions.
I am trying to use the bearer token I get from angular in a postman call and it is unauthorized. It is important to mention that I gave my angular client on AD permission to access my workbench instance and it's still not working, that leads me to some questions:
I have tried using a .NET client from this guide:
http://blog.pomiager.com/post/using-rest-api-in-azure-workbench-blockchain
and it works. I notice here that in the AuthenticationContext object it receives credentials that is using the Client ID and the Client Secret. I notice that in the angular AD example we never use the secret. But the thing is that, when looking at the guide to create your own workbench UI, in the authService.js, it never takes the secret as a parameter as well. As can be seen here:
I understand that that credentials should be set on the server. In the angular example that I provided there is also a ASP.NET server
How can I create a valid bearer token for the workbench from the angularJS AD example? Should I replace the OWIN lib with something else?
Thanks
You have two options:
OPTION1 - Call Workbench API directly from AngularJS based SPA
In this option you work with Implicit Grant Flow and only call Workbench API through
Delegated Permissionsi.e. in context of the signed in User.Also know that AngularJS SPA itself should not make use of any client secrets because it is a security risk and anyone using your application may be able to extract secret from JavaScript code.
Here is a code sample from Azure Samples. This sample has TodoSPA (your AngularJS app) and ToGoAPI (separate API, analogous to WorkBench API). So you don't need to host the ToGoAPI yourself, but assume WorkBench API is your ToGoAPI. Follow the same steps just permission name 'Access To Go API' will be different and you will use
Access Work Bench APIinstead.Call an Azure AD protected Web API in an AngularJS Single Page App
Important code pieces -
In
App\Scripts\app.js, replace the property name of the endpoints object to the new location of yourTo Go API, which will be Workbench api url in your case. In App\Scripts\toGoListSvc.js, replace the apiEndpoint variable with the same value.OPTION2 - Create a backend API that supports your AngularJS based SPA
AngularJS SPA calls this backend server based API, which then calls Workbench API.
In this option you can use client secrets and work with both
Delegated permissionsas well asApplication Permissions.You need this option only if you need to work with
Administratorpermission shown in screenshot for Workbench API shown above.From a flow standpoint, you can directly use Client Credentials grant flow from backend API if you don't need to call Workbench with context of a user. In case you need to call in context of a user, make use of On behalf of flow.
Since your blog reference that you're trying to follow makes use of only Delegated permissions, I think you should be good with option 1 but you can decide further based on your requirements.
这篇关于从有角度的AD客户端获取应用程序的有效承载令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
