如何在 Node.js 应用程序/API 中从 Azure AD 发出令牌? [英] How to issue tokens from Azure AD in a Node.js App/API?
问题描述
我正在构建一个带有 express 后端的节点应用程序.其中一项要求是使用 Azure AD 进行身份验证.我已经安装了 passport-azure-ad 模块并将其设置如下:
I am building a node app with a express backend. One of the requirements is using Azure AD for authentication. I've installed the passport-azure-ad module and have set it up as the following:
import * as passportAD from "passport-azure-ad";
// ... <snip> ....
const tenantName = "<MY_TENANT_NAME>"";
const clientID = "<MY_CLIENT_ID>";
app.use(passport.initialize());
app.use(passport.session());
const bearerStrategy = new passportAD.BearerStrategy(
{
identityMetadata: `https://login.microsoftonline.com/${tenantName}.onmicrosoft.com/.well-known/openid-configuration`,
clientID
},
(token: any, done: any) => {
console.log(token);
return done(null, {}, token);
}
);
passport.use(bearerStrategy);
然后我为这样的路由添加了授权:
Then I have added authorization to a route like this:
const myHandler = () => (req, res) => return res.json({});
app.get('/my/route',
passport.authenticate("oauth-bearer", { session: false }),
myHandler()
);
这将按预期返回 401 状态,但是,我无法找到有关如何从 Azure AD 向客户端颁发令牌的文档.我想接受一个 POST 到登录端点,并在正文中包含用户名和密码,并返回一个 Azure AD 令牌.这可能吗?
This is returning a 401 status as expected however, I haven't been able to find documentation on how to issue a token to a client from Azure AD. I'd like to accept a POST to a login endpoint with a username and password in the body and return a Azure AD token. Is this possible?
推荐答案
Azure AD 令牌的唯一发行者是 Azure AD.您应该不在您的客户中收集用户名/密码,并且您应该不在您的服务中接受它们.
The only issuer of an Azure AD token is Azure AD. You should not collect username/password in your clients, and you should not accept them in your service.
您的客户端应用程序只需使用 MSAL(或 ADAL,或任何 OpenID Connect 客户端库)将用户发送到 Azure AD,让他们登录,并作为响应获取您的 API 的访问令牌.
Your client applications simply needs to use MSAL (or ADAL, or any OpenID Connect client library) to send the user to Azure AD, have them sign in, and in response get an access token for your API.
例如,如果您的客户端是 JavaScript 单页应用,则使用 适用于 JavaScript 的 MSAL 您可以执行以下操作:
For example, if you client were a JavaScript single-page app, with MSAL for JavaScript you could do the following:
var userAgentApplication = new Msal.UserAgentApplication(
'0813e1d1-ad72-46a9-8665-399bba48c201', // AppId of you client app
null, function (errorDes, token, error, tokenType, instance) {
// This callback only used loginRedirect OR acquireTokenRedirect.
}
);
var scopes = ["https://api.example.com/permission.scope"];
userAgentApplication.loginPopup(scopes).then(function (token) {
// Get the signed-in user
var user = userAgentApplication.getUser();
// Get an access token for the signed-in user
userAgentApplication.acquireTokenSilent(scopes).then(function (token) {
// Use the access token to call your API
$.ajax({
url: 'https://api.example.com/foo',
type: 'GET',
dataType: 'json',
headers: { 'Authorization': 'Bearer ' + token },
contentType: 'application/json; charset=utf-8',
success: function (result) {
// TODO: Do something cool with the API response.
},
error: function (error) {
// TODO: Do something smart if there's an error
}
});
}, function (error) {
// TODO: Silent token acquisition failed, retry with acquireTokenPopup()
});
}, function (error) {
// TODO: Deal with error.
});
(当然,您可以在其他各种平台上执行此操作.)
(Of course, you can do this for various other platforms.)
这篇关于如何在 Node.js 应用程序/API 中从 Azure AD 发出令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
