尝试使用ADAL.js AuthenticationContext获取访问令牌时,access_token与id_token相同吗? [英] access_token same as id_token when trying to acquire access token with ADAL.js AuthenticationContext?
问题描述
我正在使用Azure AD对我的单页应用程序(Angular4)进行身份验证,并使用Adal.js对其进行身份验证。在登录页面上,我单击重定向到Microsoft AAD的按钮,并在成功登录后重定向到应用程序主页,并从JWT接收 id_token 和用户信息。
I am authenticating my Single Page App (Angular4) with Azure AD, and using Adal.js for the same. On the login page, I click a button that redirects to Microsoft AAD and upon successful login it redirects back to application home page, and receives id_token and user info from JWT.
我需要 access_token 来进行后端API访问,我正尝试通过ADAL AuthenticationContext 的 getCachedToken()方法,并发送clientId作为参数:
I need the access_token for back-end API access, which I am trying to acquire through the the ADAL AuthenticationContext's getCachedToken() method, and sending the clientId as parameter:
this.context.getCachedToken(this.configService.AdalConfig.clientId)
但是此方法返回的令牌与 id_token(adal.idtoken)相同。它基本上是通过使用级联键在会话存储中创建一个新项,该级联键的值与 id_token
But this method returns the same token which is stored in session storage as id_token (adal.idtoken). It basically creates a new item in session storage by with a concatenated key, which has same value as id_token
adal.access_token.key + clientId = id_token
例如: adal.access_token.key239f6fc7-64d2-3t04-8gfd-501efc25adkd =< id-token-value> 。
I还尝试使用 AuthenticationContext.acquireToken()方法获取 access_token ,但它也提供了 id_token 返回。
I also tried to fetch access_token with AuthenticationContext.acquireToken() method, but it too gave the id_token back.
我要去哪里了?
编辑:发布代码。
我正在调用函数 login(),并在成功登录后尝试通过以下方式在首页中获取访问令牌在 adal.config.ts 中 get accessToken()属性访问器。
posting the code.
I am calling the function login(), and after successful login, trying to get the access token in home page via get accessToken() property accessor in adal.config.ts.
config.service.ts
import { Injectable } from '@angular/core';
@Injectable()
export class ConfigService {
constructor() {}
public get AdalConfig(): any {
return {
tenant: 'common',
clientId: <application-id>,
redirectUri: window.location.origin + '/',
postLogoutRedirectUri: window.location.origin + '/'
};
}
}
adal.service.ts
import { ConfigService } from './config.service';
import { Injectable } from '@angular/core';
import { adal } from 'adal-angular';
let createAuthContextFn: adal.AuthenticationContextStatic = AuthenticationContext;
@Injectable()
export class AdalService {
private context: adal.AuthenticationContext;
constructor(private configService: ConfigService) {
this.context = new createAuthContextFn(configService.AdalConfig);
}
login() {
this.context.login();
}
logout() {
this.context.logOut();
}
handleCallback() {
this.context.handleWindowCallback();
}
public get userInfo() {
return this.context.getCachedUser();
}
public get accessToken() {
return this.context.getCachedToken(this.configService.AdalConfig.clientId);
// return this.context.acquireToken(this.configService.AdalConfig.clientId, function(message, token, response) {
// console.log(message, token, response);
// });
}
public get isAuthenticated() {
return this.userInfo && this.accessToken;
}
}
推荐答案
实际上,经过一番阅读后,发现将SPA连接到Azure AD需要OAuth 2.0隐式授予流程。 Microsoft文档说:
Actually, after a bit of reading, turned out that connecting SPA's to Azure AD requires OAuth 2.0 Implicit Grant flow. The Microsoft documentation says:
在这种情况下,当用户登录时,JavaScript前端
使用用于JavaScript的Active Directory身份验证库(ADAL.JS)
和隐式授权授予,以从Azure AD获得ID令牌(id_token)
。令牌被缓存,客户端在调用其Web API后端
时将其作为承载令牌附加到
请求,该令牌使用OWIN中间件进行保护。
In this scenario, when the user signs in, the JavaScript front end uses Active Directory Authentication Library for JavaScript (ADAL.JS) and the implicit authorization grant to obtain an ID token (id_token) from Azure AD. The token is cached and the client attaches it to the request as the bearer token when making calls to its Web API back end, which is secured using the OWIN middleware.
因此,我需要将 id_token 本身发送给后端API,这又可以被验证和使用。有关验证的更多信息,请参见此处:
So, it's the id_token itself that I need to send to the back-end APIs, which in turn can be validated and used. More info about validation is given here:
仅接收id_token不足以对用户进行身份验证;
,您必须根据应用要求验证id_token的签名,并在
令牌中验证要求。 v2.0终结点使用JSON Web
令牌(JWT)和公钥加密技术对令牌进行签名并验证
是否有效。
Just receiving an id_token is not sufficient to authenticate the user; you must validate the id_token's signature and verify the claims in the token per your app's requirements. The v2.0 endpoint uses JSON Web Tokens (JWTs) and public key cryptography to sign tokens and verify that they are valid.
您可以选择在客户端
代码中验证id_token,但是一种常见的做法是将id_token发送到后端
服务器并执行在那里验证。验证id_token的
签名后,有一些要求您要求
进行验证。
You can choose to validate the id_token in client code, but a common practice is to send the id_token to a backend server and perform the validation there. Once you've validated the signature of the id_token, there are a few claims you will be required to verify.
这篇关于尝试使用ADAL.js AuthenticationContext获取访问令牌时,access_token与id_token相同吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
