将state/customState与护照azure-ad一起使用 [英] Utilizing state/customState with passport-azure-ad

问题描述

我在弄清楚customState的目的以及是否/如何利用它将数据传递到返回URL时遇到麻烦.具体来说，我希望在登录后将用户路由回他们的原始位置.我以为可以将原始网址传递给参数customState，并在返回网址POST中将其返回给我，但似乎进行编码或替换为其他值.

I'm having trouble figuring out the purpose of customState and if/how I can utilize it to pass data to the return url. Specifically I wish to route the user back to their original location after being signed in. I thought I could pass the original url to the parameter customState and have it returned back to me in the return url POST, but it appears to be encoded or perhaps replaced with a different value.

这是我想要实现的目标:

Here is what I want to achieve:

1. 匿名用户访问需要身份验证的/page/protected.
2. 代码调用passport.authenticate，依次重定向用户以登录.
3. 用户登录并返回到预配置的返回网址，例如:/auth/oidc/return.
4. 代码处理从表单发布数据中提取信息.
5. 将用户定向回/page/protected.

1. Anonymous user visits /page/protected which requires authentication.
2. Code calls passport.authenticate which in turn redirects the user to sign in.
3. User signs in and is returned to the pre-configured return url e.g.: /auth/oidc/return.
4. Code handles extracting information from form-post data.
5. User is directed back to /page/protected.

推荐答案

返回网址(例如"/page/protected")可以通过以下方式往返:

A return URL (e.g. "/page/protected") can be round-tripped by:

1)在身份验证中间件重定向到Azure AD B2C之前设置"customState"参数:

1) Setting the "customState" parameter before the authentication middleware redirects to Azure AD B2C:

app.get('/login', function (req, res, next) {
  passport.authenticate('azuread-openidconnect', {
    response: res,
    resourceURL: config.resourceURL,
    customState: '/page/protected', // Or set to the current URL
    failureRedirect: '/'
  })(req, res, next);
}, function (req, res) {
  res.redirect('/');
});

2)在身份验证中间件验证来自Azure AD B2C的身份验证响应后获取req.body.state参数:

2) Getting the req.body.state parameter after the authentication middleware validates the authentication response from Azure AD B2C:

app.post('/auth/openid/return', function (req, res, next) {
  passport.authenticate('azuread-openidconnect', {
    response: res,
    failureRedirect: '/'
  })(req, res, next);
}, function (req, res) {
  res.redirect(req.body.state);
});

应该对"customState"参数值进行加密，如果您不希望篡改返回URL，则这意味着必须对req.body.state参数进行解密.

The "customState" parameter value should be encrypted, which will mean the req.body.state parameter will have to be decrypted, if you don't want the return URL to be tampered with.

否则，通常在身份验证中间件重定向并将身份验证请求发送到Azure AD B2C之前，将返回URL写入req.session，然后在身份验证之后从req.session读取(然后删除)此返回URL.中间件从Azure AD B2C接收并验证身份验证响应.

Otherwise, it is common to write the return URL to req.session before the authentication middleware redirects and sends the authentication request to Azure AD B2C, and then read (and then delete) this return URL from req.session after the authentication middleware receives and validates the authentication response from Azure AD B2C.

这篇关于将state/customState与护照azure-ad一起使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！