在没有用户登录屏幕的情况下从Java脚本调用安全的REST API [英] Calling a secured REST api from Javascript without user login screen
问题描述
您如何从没有登录名的Javascript脚本应用程序调用安全的REST api?
How would you call the secured REST api from the Javascript script application that doesn't have the login?
我有一个Javascript应用程序(React),该应用程序没有用户登录名.它需要调用一些使用Oauth的REST api服务(Azure广告- WindowsAzureActiveDirectoryBearerAuthentication).
I have a Javascript application (React) that doesn't have a user login. It needs to call some REST api services that uses Oauth (Azure Ad - WindowsAzureActiveDirectoryBearerAuthentication).
这些REST服务已启用CORS.
Those REST services have CORS enabled.
我也在Azure广告中注册了我的Web应用程序.
I also registered my web application in Azure Ad.
问题是javascript应用程序需要调用 https://login.microsoftonline.com/ {{tenantId}}/oauth2/token获取访问令牌.我发现没有办法为该URL启用CORS.我的JS应用程序没有任何登录名,因此我无法在弹出窗口中显示登录屏幕或使用adal js.
The issue is that the javascript application needs to call https://login.microsoftonline.com/{{tenantId}}/oauth2/token to get the access token. I found no way to enable the CORS for that URL. My JS application doens't have any login so I can't show the login screen in popup or use adal js.
我想出的解决方案是将Javascript应用程序放在NodeJS(Express)中. JS调用NodeJS,该NodeJS调用login.microsoftonline.com以获取令牌,并在调用其他安全的REST服务时传递令牌.
The solution that I come up with is that I put my Javascript application in NodeJS (Express). The JS call the NodeJS that calls the login.microsoftonline.com to get the token and pass it when calling other secured REST services.
效果很好,但我认为可能存在一些安全问题.
It works great but I think there might be some security issues around that.
有没有更好的方法来设计这种应用程序?
Is there any better way to design this kind of application?
推荐答案
您正在做的是正确的方法.它可以确保服务器上所有Oauth令牌的安全,而不必在客户端公开它们.
What you are doing is the proper approach. It keeps all the Oauth tokens secure on your server without having to expose them client side.
这是大多数Oauth2 API不实现CORS的主要原因
That is the main reason most Oauth2 API's don't implement CORS
这篇关于在没有用户登录屏幕的情况下从Java脚本调用安全的REST API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
