如何在Angular6 +应用程序中使用PKCE实现授权代码授予 [英] How to implement Authorization Code Grant with PKCE in Angular6+ applications
问题描述
在与AZURE AD集成的Angular6 +应用程序中实现MSAL库时,我需要一些输入.
I need some input in implementing MSAL library in Angular6+ applications for integrating with AZURE AD.
在阅读Microsoft文档时,我遇到了两个流程隐式授予流程"和身份验证代码流程".微软团队自己建议,与隐式授予流程"相比,身份验证代码流"必须以其安全性来实现.
As i read through the microsoft docs, i came across two flows 'implicit grant flow' and 'auth code flow'. It is been recommended by microsoft team themselves that 'auth code flow' must be implemented as its secure as compared to 'implicit grant flow'.
我正在使用Angular6 +应用程序,因此我必须将其与AZURE AD集成.当我检查MSAL库的角度时,我只能找到1个版本"npm i @ azure/msal-angular",我假设它实现了隐式授权流程".我必须实现身份验证代码流".
Im working on a Angular6+ application, and I have to integrate it with AZURE AD. When i checked the MSAL libraries for angular i could only find 1 version "npm i @azure/msal-angular", which i assume implements 'implicit grant flow'. I have to implement 'auth code flow'.
任何人都可以在这方面提供帮助.
Could anyone please help in this regard.
推荐答案
这里有2个困惑,一个是关于流的安全性,另一个是关于MSAL是否支持身份验证代码(带有PKCE).
There are 2 confusions here, one is about the security of flows, the other is about whether MSAL supports auth code (w/ PKCE).
- 验证码流与隐式流
您不应该将其理解为验证码是安全的,隐式流程是不安全的".这些是相对术语;也就是说,auth核心被认为比隐式流更安全.但是,在某些用例中,隐式流被认为是很好的(例如,用户会话超时很短).互联网上对此有一些争论.
You should not understand this as "auth code is secure and implicit flow is insecure". These are relative terms; that is, auth core is considered more secure than implicit flow. However, there are use cases where implicit flow is considered just as good (e.g. user session timeout is short). There is some debate on the internet about this.
- 将MSAL.js与Angular结合使用
当前 MSAL.js2.x (msal浏览器)实现身份验证代码(带有PKCE)流程.您没有理由不将其与Angular项目一起使用.还有一个 MSAL-Angular 包装器库,其中包含一些额外的功能和粘合代码,这是一个实现隐式流的库(因为它基于MSAL.js 1.x,又名msal-core).但是,您不必仅因为拥有Angular项目而使用它.相反,您可以直接使用MSAL.js 2.x创建自己的身份验证服务.
The current MSAL.js 2.x (msal-browser) implements auth code (w/ PKCE) flow. There is no reason for you not to use it with your Angular project. There is also an MSAL-Angular wrapper library, which comes with some extra features and glue code, and that is the one that implements implicit flow (because it is based on MSAL.js 1.x aka msal-core). However, you don't have to use it just because you have an Angular project. Instead, you can create your own authentication service using MSAL.js 2.x directly.
这篇关于如何在Angular6 +应用程序中使用PKCE实现授权代码授予的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
