节点模块passport-azure-ad id_token验证 [英] node module passport-azure-ad id_token validation

问题描述

我使用的是护照蓝色的广告，可以通过AzureAD对用户进行身份验证.我查看了oidcstrategy.js中的代码，似乎使用了JWT标头中返回的孩子验证了返回的id_token.这似乎很愚蠢.有例子吗 使用此模块进行更有效的验证?似乎我应该能够直接查询AzureDS以获取用于验证令牌的公钥.

I am usin passport-azure-ad to authenticate a user through AzureAD.  I looked at the code in oidcstrategy.js, and it seems to validate the returned id_token using the kid returned in JWT header.  This seems pretty silly.  Is there an example of stronger validation using this module?  Seems like I ought to be able to directly query AzureDS for the public key that should be used to validate the token.

推荐答案

OIDCStrategy使用OpenID Connect协议进行Web应用程序登录.它以下列方式工作:如果用户未登录，则护照向AAD(Azure Active Directory)发送身份验证请求，然后AAD提示用户输入他或她的身份. 登录凭据.成功进行身份验证后，根据您选择的流程，Web应用程序最终将直接从AAD授权端点或通过在AAD令牌端点兑换代码来获取id_token.护照然后验证 id_token并将id_token中的声明传播回verify回调，并让框架完成其余的身份验证过程.如果整个过程成功，passport将用户信息添加到req.user并将其传递给下一个 中间件.如果发生错误，通行证会发回未经授权的回复或将用户重定向到您指定的页面(例如主页或登录页面).

OIDCStrategy uses OpenID Connect protocol for web application login purposes. It works in the following manner: If a user is not logged in, passport sends an authentication request to AAD (Azure Active Directory), and AAD prompts the user for his or her sign-in credentials. On successful authentication, depending on the flow you choose, web application will eventually get an id_token back either directly from the AAD authorization endpoint or by redeeming a code at the AAD token endpoint. Passport then validates the id_token and propagates the claims in id_token back to the verify callback, and let the framework finish the remaining authentication procedure. If the whole process is successful, passport adds the user information to req.user and passes it to the next middleware. In case of error, passport either sends back an unauthorized response or redirects the user to the page you specified (such as homepage or login page).

RSA1_5 RSA-OAEP A128KW A256KW 目录
支持的内容加密算法为:
， ， ， ，和 .

It support encrypted id_token in JWE Compact Serialization format. The key encryption algorithms supported are:
RSA1_5, RSA-OAEP, A128KW, A256KW, dir.
The content encryption algorithms supported are:
A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, and A256GCM.

https://github.com/AzureAD/passport-azure-ad

这篇关于节点模块passport-azure-ad id_token验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！