如何从Angular应用程序的.Net Core程序获取Azure AD身份验证 [英] How can I get Azure AD Authentication from .Net Core program for Angular app
问题描述
我有一个托管Angular 10应用程序的.Net Core 3.1程序.Angular应用程序有一个登录页面,用户可以在其中输入用户名和密码,然后将其发送到.Net Core中的登录函数,该函数返回一个oAuth令牌,该令牌用于在从Angular进行的所有api调用中.仅在根据数据库检查了用户名和密码后,才会返回令牌.我希望有一个使用Microsoft登录"窗口,用户可以单击登录表单上的按钮,而不用输入用户名和密码.我希望.Net核心应用程序随后调用Azure Active Directory并获得令牌.如果用户已经登录到Azure AD,它将仅返回令牌,否则将要求用户提供其Active AD凭据,然后在成功登录后返回该令牌..NetCore程序可以询问Azure AD令牌(而不是检查数据库中的用户名和密码),如果可以的话,它将向Angular应用返回oAuth令牌.除了.Net Core中的代码之外,我在大多数方面都很清楚,可以做到以下几点:
I have a .Net Core 3.1 program that hosts an Angular 10 application. The Angular application has a login page where the user can enter a username and password which gets sent to a login function in .Net Core which returns an oAuth token that is used in all calls to the api from Angular. The token only gets returned once the username and password are checked against a database. I would like to have a "Sign in with Microsoft" button on the login form that the user could click instead of entering a username and password. I would like the .Net core application to then call Azure Active Directory and get a token. If the user is already signed into Azure AD, it would just return the token, if not it would asked the user for their Active AD credentials and then return the token after successful log in. The .Net Core program could then interrogate the Azure AD token (instead of checking username and password in the database) and if it is ok it would return the oAuth token to the Angular app. I'm clear on most of this apart from the code in .Net Core to do the following:
- 查看用户是否已经登录到Azure AD,如果没有提示用户登录到Azure AD,
- 向Azure AD发出请求,以为身份验证的用户发送令牌
请帮助.
推荐答案
使用Azure AD登录用户时,会出现 Microsoft.IdentityModel库可以为您隐藏大部分此类复杂性.由于您使用的是Angular,因此在SPA中处理登录部分会更简单,但不必这样做.
When signing a user in with Azure AD there is a specific flow you should follow. Just like for the Angular library, the Microsoft.IdentityModel library can hide most of this complexity from you. Since you are using Angular, handling the login portion in your SPA will be simpler, but you don't have to.
有一个示例应用程序专门使用Angular和.NET Core实现AAD身份验证:
There is a sample app that specifically implements AAD authentication with Angular and .NET Core: https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi
还有一个教程,它涉及几种不同的场景,包括您可能要探索的示例应用程序:
There's also a tutorial that goes through several different scenarios including that sample app that you may want to explore: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/
您在正确的路径上,您的API中有两个登录端点.主要问题是让您的API处理实际的登录.如果需要让Azure AD对用户进行身份验证,则应该始终由浏览器中的Azure AD处理.由于他们的Microsoft登录名不仅仅用于您的站点,因此用户随时随地将其交给您,这将带来巨大的安全风险.如果他们的帐户启用了2因子,则即使您具有他们的用户名和密码,API也无法进行身份验证.
You are on the right path with having two login endpoints in your API. The main issue is having your API handle the actual login. If you need to have Azure AD authenticate a user, you should always have that handled by Azure AD in the browser. Since their Microsoft login isn't just for your site, it is a massive security risk for the user to give them to you at any point. If they have 2-factor enabled on their account, there is no way for your API to do the authentication even if you have their user name and password.
如果用户登录到Azure AD,但没有登录到您的特定站点,则不会要求他们再次登录.他们可能会看到弹出窗口或进行短暂的重定向,但是Azure AD会立即使用API的令牌将其发送回您的站点.
If the user is signed in to Azure AD but not your site specifically they won't be asked to sign in again. They may see the popup or redirect briefly, but Azure AD will immediately send them back to your site with a token for your API.
这篇关于如何从Angular应用程序的.Net Core程序获取Azure AD身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
