验证 Microsoft Graph JWT 令牌 [英] Validating a Microsoft Graph JWT Token
问题描述
我绝不是 MSAL/JWT/Graph 身份验证方面的专家,但我希望有人可以更清楚地向我解释这个问题,或者帮助我了解是否有解决方法或更好的方法.
I'm by no means an expert on MSAL/JWT/Graph authentication, but I'm hoping someone can explain this issue more clearly to me, or help me understand if there's a workaround or better approach.
基本上,在某些情况下,我可能最终会使用 Microsoft Graph JWT 令牌.我可以轻松想到的两个示例是使用 Microsoft Graph Toolkit 或在 Microsoft Teams 中使用 Tabs SSO.在这两种情况下,我都可以从我已经拥有的 JWT 令牌(通过 Graph Toolkit 或通过 Teams SSO)获取用户的相关身份信息——他们的 Azure AD 对象 ID 和租户 ID.但是,我不能将相同的令牌用于我自己的后端 API,因为根据我的研究,我无法针对该 JWT 令牌执行基本令牌验证.例如,我希望能够针对该用户和租户 ID 组合存储信息.
Essentially, there are certain scenarios where I might end up with a Microsoft Graph JWT token. Two examples I can think of easily are using the Microsoft Graph Toolkit or using Tabs SSO in Microsoft Teams. In both cases, I can get relevant identity information for the user from the JWT token I would have already (via Graph Toolkit or via Teams SSO) - their Azure AD Object Id and their Tenant Id. However, I can't use that same token to my own backend API, because, from my research, I can't perform basic token verification against that JWT token. I'd like to be able, for example, to store information against that user and tenant Id combination.
我知道我可以进行自己的身份验证(例如 MSAL.js),我什至可以通过扩展其用途来使用 SAME Azure AD 应用程序,但简单地使用我有权访问的令牌会容易得多已经,如果只有一种方法可以验证它.例如,在 Teams 中,SSO 用户体验被很好地集成,但我需要让用户通过另一个登录,甚至可能是相同的 Azure AD 应用程序.[更新:所以从技术上讲,它不是另一个登录"——用户已经登录,因此是SSO",但他们需要再次同意,在这种情况下,他们同意的是同一个应用到刚才].
I do understand that I can do my own authentication (e.g. MSAL.js), and I can even use the SAME Azure AD Application by extending its use, but it would be much easier to simply use the token I have access to already, if there was just a way to validate it. In Teams, as an example, the SSO user experience is nicely integrated, but I'd need to put the user through ANOTHER signin, potentially even for the SAME Azure AD Application. [Update: so technically it's not another 'sign-in' - the user is signed in already, hence 'SSO', but they need to consent again, in this case against the very same app they consented to a moment before].
那么,我的问题是,是否有任何方法可以安全地验证现有令牌?
So, my question is, is there any way to safely verify the existing token?
推荐答案
Graph 的 AAD 令牌不适用于您的应用/服务,您不应该尝试验证甚至解码它.在某些情况下,令牌可能会被加密,从而防止您甚至将其破解.您可以安全地使用 Graph 令牌做的唯一事情是使用它调用 Graph API(只要令牌具有必要的范围).如果令牌没有必要的范围,那么您将从图表中收到错误消息.
An AAD token for the Graph is not meant for your app/services and you should not be attempting to validate or even decode it. In some cases, the token could be encrypted thus preventing you from even cracking it open. The only thing you can safely do with a Graph token is call a Graph API with it (as long as the token has the necessary scopes). If the token doesn't have the necessary scopes then you will get an error back from the Graph.
你能帮我更好地理解你的场景吗?你是如何生成这个 Graph 令牌的?通常,当您使用 Tab SSO 时,Teams 生成的令牌不适用于 Graph;它适用于您在 AAD 中注册并在应用清单的 webApplicationInfo 部分中列出的 Web API.要调用下游 Graph API,您需要通过 AAD 的 OBO 流程交换此令牌:https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Can you help me understand your scenario better? How are you generating this Graph token? In general, when you use Tab SSO the token generated by Teams is not for the Graph; it's for your Web API that you registered with AAD and listed in your app manifest's webApplicationInfo section. To call downstream Graph APIs you would need to exchange this token via AAD's OBO flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
如果您的应用未获得必要的同意,则此交换将失败,您可以将其用作触发弹出式身份验证流程并征得用户同意的信号.这记录在这里:https://docs.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso
If your app doesn't have the necessary consent then this exchange will fail which you can use as a signal to trigger a popup authentication flow and get the user's consent. This is documented here: https://docs.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso
这篇关于验证 Microsoft Graph JWT 令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
