使用JWT OAuth 2.0令牌的Cordova应用程序中的Azure MFA [英] Azure MFA in Cordova app that uses JWT OAuth 2.0 tokens

问题描述

我正在开发一个Cordova应用程序，该应用程序(直到现在)已使用密码授予从Azure的Microsoft标准OAuth提供程序中检索JWT:

I am developing a Cordova app that has (until now) used a password grant to retrieve JWTs from Microsoft's standard OAuth provider in Azure:

https://login.microsoftonline.com/[tenant]/oauth2/token

工作正常.但是，我们正在向外部交易者开放我们的应用程序，所有者希望添加MFA.

It works fine. However, we are opening up our application to outside traders, and the owner wants MFA added.

因此，我在Azure中创建了MFA提供程序，并为MFA启用了测试帐户.

So, I have created an MFA provider in Azure, I have enabled a test account for MFA.

我当前正在使用InAppBrowser插件打开重定向请求-似乎可以正常工作-它会打开登录页面，显示文字，我将代码放入其中，然后完成登录到应用程序"初始屏幕(默认用户的Azure登录).

I am currently opening the redirect request using the InAppBrowser plugin - which seems to work - it opens to the login page, it texts, I put the code in, and then it completes login to the "Applications" splash screen (Default Azure login for users).

我的问题是确定登录成功，然后检索JWT.由于使用MFA，登录服务器现在在初始登录时返回以下"MFA"错误(不是真正的错误):

My issue is identifying that login was successful, and retrieving JWTs. Because of the MFA, the login server now returns the following "MFA" error on initial login (not really an error):

interaction_required

但是，一旦MFA完成，我不知道该去哪里获取我的令牌/刷新令牌.如果我重新提交登录名，即使在MFA流程中选择了"[X]天不再询问"，它也会发送回"interaction_required"消息.

However, once MFA is completed, I have no idea where to go to get my token/refresh token. If I resubmit login, it just sends back an "interaction_required" message, even if "Do Not Ask Again For [X] Days" is selected during the MFA process.

我希望问题已经解决.让我知道是否可以，我会根据需要进行修改.

I hope the issue is clear. Let me know if not and I'll revise as necessary.

我当前未使用ADAL或任何cordova插件进行身份验证.我自己击中了端点.答案可能是我必须使用ADAL.

I am not currently using ADAL or any cordova plugins for authentication. I am hitting the endpoints on my own. The answer may be that I have to use ADAL.

推荐答案

好的，这就是问题.因为我使用的是密码授予，所以我没有碰到/oauth2/authorize端点-密码授予不是必需的-您直接进入/oauth2/token ...

Ok guys, here's the issue. Since I was using password grants, I was not hitting the /oauth2/authorize endpoint - it's not required with password grants - you go straight to /oauth2/token...

对于MFA，必须使用/oauth2/authorize.如果启用了MFA，它将为您重定向并处理所有操作(非常简单).您只需等待您的重定向URL，身份验证代码就是一个查询参数，因此很容易推断出来.

With MFA, /oauth2/authorize is mandatory. If MFA is enabled, it redirects and handles everything for you (very simple). You simply await your redirect url, the auth code is a query parameter, and thus is very easy to extrapolate.

浏览器重定向后，您将获取授权代码，然后将其提交给/oauth2/token服务器，没有用户名/密码(也不需要授权标头，这很好，因为您不需要不必两次询问-一次是MFA，一次是传递到/token-很好地致电Microsoft).

After the browser redirects, you grab the authorization code, and then submit it to the /oauth2/token server, without username/password (Authorization header also not required, which is good because you don't have to ask for it twice - once for MFA, and once to pass in to /token - good call Microsoft).

流量

testMFA = function () {
var url = "https://login.microsoftonline.com/[tenantID]/oauth2/authorize?client_id=[clientID]&response_type=code&response_mode=query";;
var target = "_blank";
var options = "location=yes";
inAppBrowserRef = cordova.InAppBrowser.open(url, target, options);
with (inAppBrowserRef) {
    try {
        addEventListener('loadstart', loadStartCallBack);
        addEventListener('loadstop', loadStartCallBack);
        addEventListener('loaderror', loadStartCallBack);
        addEventListener('exit', loadStartCallBack);
    }
    catch (ex) {
        alert(ex);
    }
}

}

然后，在"loadStartCallBack"中:

Then, in 'loadStartCallBack':

else if (event.url.split('/')[2] == '[returnURLWithoutHttps://]') {
        var fullstring = event.url.split('/')[3].split('?code=')[1] 
        var code = fullstring.split('&')[0];
        var sess_state = fullstring.split('session_state=')[1];
        localStorage.tokenCode = code;
        sessionStorage.sess_state = sess_state;
        inAppBrowserRef.close();
        getToken();
    }

然后，您将授权代码传递到/oauth2/token服务器，并收到您的令牌(我留给注释了密码授予的内容，供以后以密码授予开始的读者使用):

You then pass the authorization code into the /oauth2/token server, and receive back your token (I am leaving in password grant stuff commented, for future readers that started at a password grant):

var data =
'resource=[resourceURL]' +
//'&username=' + window.sessionStorage.loginUser + 
//'&password=' + password +
'&client_id=' + clientId +
'&code=' + authCode +
'&grant_type=authorization_code' + 
//'&grant_type=password';
'&response_type=token';
var dataFinal = encodeURI(data);

就是这样.希望有一天能对某人有所帮助.

That's it. Hope it helps someone some day.

这篇关于使用JWT OAuth 2.0令牌的Cordova应用程序中的Azure MFA的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！