在Azure Active Directory上启用CORS [英] Enabling CORS on Azure Active Directory
问题描述
我试图在Angular 6应用程序中使用以下方法以编程方式从Azure Active Directory获取访问令牌.
I am trying to get a access token from Azure Active Directory programmatically using the following method in an Angular 6 application.
let body1 = new FormData()
body1.append("resource", environment.config.clientId)
body1.append("grant_type", "client_credentials")
body1.append("client_id", environment.config.clientId)
body1.append("client_secret", "*****")
return this._http.post("https://login.microsoftonline.com/" + environment.config.tenant + "/oauth2/token", body1)
我能够通过Postman中的此URL检索访问令牌,但是在通过我的应用程序调用它时被CORS阻止.错误如下.
I was able to retrieve an access token through this url in Postman but am blocked by CORS when calling it through my application. Error is below.
Failed to load https://login.microsoftonline.com/*****/oauth2/token:
Response to preflight request doesn't pass access control check: No 'Access-
Control-Allow-Origin' header is present on the requested resource. Origin
'http://localhost:4200' is therefore not allowed access.
那么,如何为所有域在Azure Active Directory上启用CORS?
So, how do I enabled CORS on the Azure Active Directory for all domains?
推荐答案
简单,您没有.
您正在做的是向公众公开您应用的客户秘密. 请记住,该请求将通过用户的设备发出. 这样他们就可以观察并捕获您的秘密. 这就是令牌端点不支持CORS,并且可能永远不支持的原因.
What you are doing is exposing your app's client secret to the public. Remember that the request will be made from the user's device. So they can observe it and capture your secret. This is why the token endpoint does not support CORS, and probably never will.
从前端JS应用程序获取令牌的方法是使用隐式授予流. 或者,如果您确实需要仅应用程序令牌,则必须从后端应用程序发出您尝试过的请求.
The way to acquire tokens from a front-end JS app is to use Implicit Grant Flow. Or if you do need an app-only token, then you must do the request you tried from a back-end application.
隐式授予流使您可以在用户登录时直接从授权端点获取令牌. 您可以使用ADAL.JS/MSAL.JS来协助完成此工作. 您的本机应用程序无法证明其身份,因此如果没有用户身份,就无法拥有令牌.
Implicit grant flow allows you to get tokens directly from the authorization endpoint as the user signs in. You can use ADAL.JS/MSAL.JS to assist in this. You cannot have tokens without a user identity as your native app cannot prove its identity.
这篇关于在Azure Active Directory上启用CORS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
