隐式授权流程中的ID令牌与访问令牌 [英] ID tokens vs Access tokens in implicit grant flow
问题描述
我想澄清一下如何在隐式授予流中使用ID令牌和访问令牌.我有一个使用MSAL.js进行Angular打包和Web API的Angular SPA.API不会调用任何外部服务,例如MSFT Graph.后端使用JWT的角色声明来仅建立对我们API功能的RBAC授权.
此文档说:
它首先调用AcquisitionTokenSlient,如果不可用,它将从缓存中获取令牌.它调用了acquireTokenPopUp,它将获得针对特定范围的访问令牌,我不确定它是否会打开弹出窗口或是否会在后台隐藏iframe来获得令牌.但这肯定会获取访问令牌.永远无法使用ID令牌访问API.
检查 https://docs.microsoft.com/bs-latn-ba/azure/active-directory/develop/scenario-spa-acquire-token 了解更多信息
I would like some clarification on how to use ID tokens and access tokens in an implicit grant flow. I have an Angular SPA using MSAL.js for Angular package and a Web API. The API does NOT call any external services, like MSFT Graph. The back end uses role claims from JWT to establish RBAC authorization to our API functionality only.
This doc says: https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens
id_tokens are sent to the client application as part of an OpenID Connect flow. They can be sent along side or instead of an access token, and are used by the client to authenticate the user.
ID Tokens should be used to validate that a user is who they claim to be and get additional useful information about them - it shouldn't be used for authorization in place of an access token.
This doc shows an authentication flow where a web API is called with an ID token instead of an access token: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
This sample code sends ID token too (calling own Web API sample): https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi-v2
The sample back end validates ID token audience against Client ID of the app that issued it.
Given our API is the only consumer of tokens, should we use ID tokens or access tokens?
check this part
It first calls acquireTokenSlient, which gets a token from the cache if available if not it calls acquireTokenPopUp which will get an acces token for the specific scope, I am not sure if it would open up a popup window or will get a token in the background with hidden iframe. But it would fetch an access token for sure. API can never be accessed with ID token.
check https://docs.microsoft.com/bs-latn-ba/azure/active-directory/develop/scenario-spa-acquire-token for more clarification
这篇关于隐式授权流程中的ID令牌与访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
