Oauth 2.0 |SPA |id_token如何伪装成用于访问受限Web资源的access_token? [英] Oauth 2.0 | SPA | How does id_token disguise as an access_token for accessing restricted web resources?

问题描述

我正在为我的Angular SPA(或任何Javascript )应用程序集成 Azure Active Directory .应用程序具有一个前端(使用JavaScript构建的 )和一个Web API(使用任何c#或任何服务器端语言构建的 ).

I am working on integrating Azure Active Directory for my Angular SPA (or any Javascript) application. Application has a front-end (built with JavaScript) and a Web API (built with any c# or any server side languages).

作为参考， https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp

我知道我在SPA AAD注册中配置了OAuth 2.0隐式授予.OAuth 2.0隐式授权稍为放松，以使SPA可以通过赎回"id_token"来访问与SPA AAD注册相关联的网络资源.

I know that I configured OAuth 2.0 Implicit Grant in SPA AAD Registration. OAuth 2.0 Implicit Grant is slightly relaxed to let SPA gaining access to web resources tied to SPA AAD Registration by redeeming 'id_token'.

OAuth 2.0隐式授予协议:

1. 使用client_id，resource .. for id_token到达Azure Auth端点
2. 使用凭据对其进行挑战
3. 获取id_token，因为它已发布回SPA URI.
4. 使用id_token作为承载令牌来访问受限制的Web资源.

SPA仅与内部Web API的id_token和OAuth 2.0隐式授予协议配合使用时效果很好.

为什么我们无法从SPA或JS获取access_token:

SPA无法将XHR发送到Azure令牌端点，因为SPA被Azure令牌端点的CORS策略阻止.因此，SPA XHR无法获取access_token.

SPA could not send XHR to Azure Token Endpoint as SPA is blocked by CORS Policy of Azure Token Endpoint. So, SPA XHR could not acquire access_token.

但是，Adal.js的iFrames实现可以通过调用跨域网络资源来获取access_token.

But, iFrames implementation of Adal.js can fetch access_token by calling cross-domain web resources.

这似乎是单独使用SPA的一种特殊情况.

It looks like this is a special case for SPA alone.

问题:

1. AAD如何确定"id_token"持有人可以访问哪些Web资源?通过查找与SPA AAD注册相关的网络资源?

1. How does AAD determine which web resources that 'id_token' holder can access? By looking up the web resources tied to SPA AAD Registration?

[OP] Adal.js负责拦截我们的回发信息，以接收和存储id_token&access_token

[OP] Adal.js is responsible for intercepting our post-backs to receive and store tokens like id_token & access_token

AAD无法实施以下方法吗?

Cannot AAD implement the following approach?

• 使用client_id，resource ..作为身份验证代码重定向到Azure身份验证端点.
• 通过将其发回到SPA URI，从Azure Auth端点获取Authorization_Code.
• 不是XHR到Azure令牌端点，我们不能使用Auth_Code，client_id，resource ..重定向到Azure令牌端点，以让Azure令牌端点将access_token回发到redirect_uri吗?

[OP] 另外，Adal.js还计划使用iFrame调用跨域API(在这种情况下为 Az Auth端点)并获取访问令牌./p>

[OP] Adal.js had other plans to use iFrames to call Cross-domain API (Az Auth Endpoint, in this case) and acquire Access Tokens.

建议.我需要上述问题的真实答案.这种情况现在已经解决了:)！

P.S. I need real answers for above questions. This case is now solved :)!

推荐答案

AAD如何确定"id_token"持有者可以访问哪些Web资源?通过查找与SPA AAD注册相关的网络资源?

How does AAD determine which web resources that 'id_token' holder can access? By looking up the web resources tied to SPA AAD Registration?

不是.如果您的API配置为接受有效的AAD令牌，并且受众设置为前端应用程序的客户端ID，则它将接受该令牌.不过，这不是一个好方法，您应该使用访问令牌来调用API.

It doesn't. If your API is configured to accept valid AAD tokens with the audience set to your front-end app's client id, it'll accept the token. This isn't a good pattern though, you should use access tokens to call APIs.

关于您有关访问令牌的问题，前端可以使用重定向或隐藏的iframe通过隐式流获取访问令牌.如果您使用ADAL.js或MSAL.js，如果您要求他们提供访问令牌，他们会自动为您执行此操作.

As for your question regarding access tokens, a front-end can acquire access tokens through implicit flow by using a redirect or a hidden iframe. If you use ADAL.js or MSAL.js, they do this for you automatically if you ask for an access token from them.

本质上，他们打开一个内联框架，该内联框架通过以下方式进入/authorize端点:

Essentially they open an iframe that goes to the /authorize endpoint with:

• response_type = token
• resource = https％3A％2F％2Fgraph.microsoft.com 或 scope = https％3A％2F％2Fgraph.microsoft.com％2FUser.Read v2/MSAL
• prompt = none

• response_type=token
• resource=https%3A%2F%2Fgraph.microsoft.com or scope=https%3A%2F%2Fgraph.microsoft.com%2FUser.Read if using v2/MSAL
• prompt=none

最后一个参数告诉AAD不要执行提示(这是一个隐藏的iframe).如果用户的浏览器中仍然存在有效的会话，并且已经同意了所请求的作用域，则将返回令牌，作为对iframe中您的SPA的重定向.然后，ADAL/MSAL可以在iframe URL中使用相同的主机名运行令牌.

The last parameter tells AAD to not do a prompt (it's a hidden iframe). If a valid session still exists in the user's browser and consent has been granted for the scopes asked, a token is returned as a redirect to your SPA within the iframe. ADAL/MSAL then can grab the token from the iframe URL as they are running on the same host name.

由于其工作方式，您将需要在SPA加载时检查自己是否位于iframe中，如果是，则根本不呈现该应用程序.

Because of the way this works, you'll want to check if you are within an iframe when your SPA loads and not render the app at all if it is.

不，您不能从JS前端调用/token端点.

And no, you cannot call the /token endpoint from a JS front-end.

这篇关于Oauth 2.0 |SPA |id_token如何伪装成用于访问受限Web资源的access_token?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！