护照-天蓝色广告：使用哪种策略 [英] passport-azure-ad: which strategy to use

问题描述

我们在AngularJS中开发了前端，在NodeJ中开发了后端API。我们正在使用Azure AD进行身份验证。前端Angular使用 adal-angular JavaScript库进行天蓝色身份验证。因此，当用户访问网站时，他将被重定向到 https://login.microsoftonline.com 并在成功通过身份验证后他被重定向回我们的网站。到目前为止一切顺利。

我必须使用 passport-azure-保护后端api广告库。只有前端在调用这些API。该库有两种可用的策略

1> OAuth2Bearer策略

2> OIDC开放ID连接策略

We have front end developed in AngularJS and backend APIs in NodeJs. We are using Azure AD for authentication. Frontend Angular is using adal-angular javascript library for azure authentication. So when user comes to web site, he gets redirected to https://login.microsoftonline.com and upon successful authentication he gets redirected back to our web site. So far so good.
I have to protect backend api’s using passport-azure-ad library. Only the frontend is calling these APIs. There are two strategies available using this library
1> OAuth2Bearer strategy
2> OIDCStrategy for Open ID Connect

在印象之下，Azure AD默认情况下使用OpenID Connect进行身份验证。因此，我打算使用OIDCStrategy以在此处讨论

但是，在提琴手中，我看到以下请求客户端（即，有角度的前端）在调用Web API时正在发出

I was under impression Azure AD by default uses OpenID Connect for authentication. So I was planning to use OIDCStrategy to protect Node web api as discussed here
However in fiddler I see the following request client (i.e angular frontend) is making when it invokes web API

GET http://localhost:4030/api/getemployees HTTP/1.1  
Host: localhost:4030  
Connection: keep-alive  
Accept: application/json, text/plain, */*  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36  
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi………………………  
Referer: http://localhost:4030/  
Accept-Encoding: gzip, deflate, sdch  
Accept-Language: en-US,en;q=0.8  

注意授权标记以 Bearer开头因此，我假设客户端正在将Bearer令牌发送到服务器。

Note Authorization tag starts with "Bearer" so I am assuming client is sending Bearer token to the server.

Q

1>我应该在此处使用哪种策略？

2>何时应在另一种方法上使用？

Q
1>which strategy I should be using here?
2>when should we use one over the other?

推荐答案

我维护 passport-azure-ad 。此处的区别在于授权和身份验证之间。

I maintain passport-azure-ad. The difference here is between "authorization" and "authentication".

OAuth2 用于授权（我可以访问吗？）。

OAuth2 is used for authorization (do I have access to this?).

OpenID Connect 用于身份验证（这就是我）。

OpenID Connect is used for authentication (this is who I am).

当您连接到Web API时，用户很可能已经具有一个身份（他们已经通过身份验证），现在您只需希望确保用户有权访问API（授权）。 OAuth2用于保护资源，并使用来自IdP的令牌来确保令牌有效，并且用户可以访问该资源。不记名只是我们（和行业）用于OAuth2的令牌类型。如果有人根本没有令牌来找您，那么您会拒绝他们，然后由客户决定让您知道将他们带到何处以获取所需的正确令牌。

When you are connecting to web APIs, the user most likely already has an identity (they've been through authentication) and now you just want to ensure that the user has access to the APIs (authorization). OAuth2 is used to protect resources and consumes tokens from an IdP to ensure tokens are valid and that the user has access to that resource. Bearer is just the type of token that we (and the industry) use for OAuth2. If someone comes to you without a token at all, you reject them and then it's up to the client that called you to know where to take them to get the right token you need.

OpenID Connect建立在OAuth2的基础上，纯粹用于登录用户并获取令牌，然后将其最终发送到Web API（后者将依次使用带有Bearer令牌的OAuth2）。因此，OpenID Connect用于身份验证。

OpenID Connect is built on top of OAuth2 and is purely for logging people in and getting the tokens that you will then eventually send to a Web API (which would in turn use OAuth2 with Bearer token). So OpenID Connect is used for authentication.

在您的方案中，您使用的是Angular，它为您执行OpenID Connect身份验证， 所以您的Web API应该使用Bearer策略。

In your scenario you are using Angular which is doing the OpenID Connect authentication for you, so your Web APIs should be using The Bearer strategy.

我已经编写了一个示例，可以指导您完成所有这些操作： https://azure.microsoft.com / en-us / documentation / articles / active-directory-devquickstarts-webapi-nodejs / 使用MEAN堆栈，并使用我作为前端编写的iOS示例应用程序。结合使用这两种方法，很容易看到一个作为身份验证块（iOS应用程序）如何运行，而另一个如何坐在那里并保护作为授权块的API（node.js应用程序）

I have written a sample that walks you through all of this here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-webapi-nodejs/ that uses the MEAN stack, and which uses an iOS sample application I wrote as a front end. Playing with both of these, it's easy to see how one acts as the authentication piece (iOS app) and the other sits there and protects the API acting as the authorization piece (the node.js app)

node.js应用程序的代码： https：// github .com / Azure-Samples / active-directory-node-webapi

Code for node.js app: https://github.com/Azure-Samples/active-directory-node-webapi

iOS应用程序代码： https://github.com/Azure-Samples/active-directory-ios

Code for iOS app: https://github.com/Azure-Samples/active-directory-ios

此处更深入地介绍了这些主题： https://azure.microsoft.com/zh-CN/documentation/articles/active-directory-authentication-scenarios/

Deeper dive in to these topics is here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/

让我知道您是否还有其他问题！

Let me know if you have any other questions!

这篇关于护照-天蓝色广告：使用哪种策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！