带有spa和webapi的azure ad b2c [英] azure ad b2c with spa and webapi
问题描述
当SPA与后端API通讯时,我对Azure B2C的工作方式感到困惑.我们有一个VUE应用程序,可从ASPNet核心Web API检索数据.我将VUE与Azure B2C上的APP相连,但是我可以登录和检索访问令牌,但是.
I am confused about how Azure B2C works when SPA is talking to backend APIs. We have a VUE app that retrieves data from ASPNet core Web APIs. I connected the VUE with APP on Azure B2C and I can login and retrieve access token, but.
SPA和API之间的身份验证/授权如何工作?
How does authentication/authorization between SPA and APIs work?
TIA
推荐答案
Azure B2C使用OATH 2/OpenID Connect作为保护单页应用程序和API的主要方法.OATH 2使用 Json Web令牌(无状态密码签名的令牌)在多个服务之间提供身份验证(OpenID Connect是对的扩展)誓言2).
Azure B2C uses OATH 2 / OpenID Connect as the main way to secure single page apps and API's. OATH 2 uses Json Web Tokens (stateless cryptographically signed tokens) to provide authentication between multiple services (OpenID Connect is an extension of OATH 2).
客户端应用程序(在本例中为SPA)将向Azure AD B2C请求JWT令牌.如果用户登录到B2C,则安全令牌服务将为SPA发行令牌以供使用.
The Client application (the SPA in this case) would ask Azure AD B2C for JWT tokens. If the user is logged in to B2C the security token service would then issue tokens for the SPA to use.
当SPA调用API时,来自安全令牌服务的ID令牌(在OpenID Connect流中)将通过 Authorization 标头( Authorization:Bearer $令牌$ ).然后,API可以基于JWT的签名块来验证令牌,以验证令牌是由安全令牌服务发出的,并且尚未被修改.由于STS和API之间存在信任关系(API信任STS),因此API会根据显示的JWT对各种api调用进行身份验证和授权.
When the SPA calls the API, the ID token from the security token service (in the OpenID Connect flow) would be sent to the API in the Authorization header (Authorization: Bearer $token$). The API could then validate the token based on the signature block of the JWT to validate that the token was issued by the security token service and has not been modified. Because of the trust relationship between the STS and the API (the API trusts the STS), the API then authenticates and authorizes the various api calls based on the JWT that is presented.
由于SPA正在工作并且正在获取令牌,因此接下来要做的就是设置Web API以接受来自B2C的JWT.使用 Microsoft.AspNetCore.Authentication.JwtBearer ,以下代码应关闭起床并运行
Since you have the SPA working and getting tokens, all you need to do next is set up the Web API to accept the JWT from B2C. Using Microsoft.AspNetCore.Authentication.JwtBearer the following code should be close to getting you up and running
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(jwtOptions =>
{
jwtOptions.Authority = $"https://login.microsoftonline.com/tfp/{Configuration["AzureAdB2C:Tenant"]}/{Configuration["AzureAdB2C:Policy"]}/v2.0/";
jwtOptions.Audience = Configuration["AzureAdB2C:ClientId"];
jwtOptions.Events = new JwtBearerEvents
{
OnAuthenticationFailed = AuthenticationFailed
};
});
(以上代码来自天蓝色样品,不再维护.
(above code from azure samples, no longer maintained.
虽然理想情况下,SPA和API都应通过STS注册为单独的客户端,但是您可以使用相同的客户端ID,因此您无需保留两套令牌,一套用于SPA客户端,一套用于API..在我目前正在从事的项目中,多个SPA已注册为客户端,然后API具有一个 AddJwtBearer ,它可以接受多个受众
While Ideally both the SPA and API would be registered as separate clients with the STS, you could use the same client ID so you would not need to keep two sets of tokens around, one for the SPA client and one for the API. In the current project I am working on, multiple SPA's are registered as clients then the API has an AddJwtBearer which accepts multiple audiences
.AddJwtBearer(options =>
{
options.Authority = $"https://login.microsoftonline.com/tfp/{Configuration["AzureAdB2C:Tenant"]}/{Configuration["AzureAdB2C:Policy"]}/v2.0/";
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = true,
ValidAudiences = new List<string>
{
Configuration["AzureAdB2C:ClientId1"];,
Configuration["AzureAdB2C:ClientId2"];
}
};
}
这为我的应用程序提供了足够的安全性,并且不需要使用IDP将API注册为客户端.
This gives enough security to me for my app and the API does not need to be registered as a client with the IDP.
这篇关于带有spa和webapi的azure ad b2c的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
