验证Microsoft Graph JWT令牌 [英] Validating a Microsoft Graph JWT Token
问题描述
我绝不是MSAL/JWT/Graph身份验证的专家,但我希望有人可以向我更清楚地解释此问题,或者帮助我了解是否有解决方法或更好的方法.
I'm by no means an expert on MSAL/JWT/Graph authentication, but I'm hoping someone can explain this issue more clearly to me, or help me understand if there's a workaround or better approach.
从本质上讲,在某些情况下,我可能会获得Microsoft Graph JWT令牌.我可以轻松想到的两个示例是使用Microsoft Graph Toolkit或使用Microsoft Teams中的Tabs SSO.在这两种情况下,我都可以从我已经拥有的JWT令牌(通过Graph Toolkit或通过Teams SSO)获得用户的相关身份信息-他们的Azure AD对象ID和他们的租户ID.但是,我无法在自己的后端API中使用相同的令牌,因为根据我的研究,我无法针对该JWT令牌执行基本的令牌验证.例如,我希望能够针对该用户和租户ID组合存储信息.
Essentially, there are certain scenarios where I might end up with a Microsoft Graph JWT token. Two examples I can think of easily are using the Microsoft Graph Toolkit or using Tabs SSO in Microsoft Teams. In both cases, I can get relevant identity information for the user from the JWT token I would have already (via Graph Toolkit or via Teams SSO) - their Azure AD Object Id and their Tenant Id. However, I can't use that same token to my own backend API, because, from my research, I can't perform basic token verification against that JWT token. I'd like to be able, for example, to store information against that user and tenant Id combination.
我确实知道我可以进行自己的身份验证(例如MSAL.js),甚至可以通过扩展其使用范围来使用SAME Azure AD应用程序,但是简单地使用我可以访问的令牌会容易得多.如果只有一种方法可以验证它的话.以Teams为例,SSO用户体验已很好地集成在一起,但是我需要让用户通过ANOTHER登录,甚至可能对于SAME Azure AD应用程序也是如此.[更新:从技术上讲,它不是另一个登录"-用户已经登录,因此已经是"SSO",但是他们需要再次同意,在这种情况下,必须针对他们同意的同一应用到前一刻].
I do understand that I can do my own authentication (e.g. MSAL.js), and I can even use the SAME Azure AD Application by extending its use, but it would be much easier to simply use the token I have access to already, if there was just a way to validate it. In Teams, as an example, the SSO user experience is nicely integrated, but I'd need to put the user through ANOTHER signin, potentially even for the SAME Azure AD Application. [Update: so technically it's not another 'sign-in' - the user is signed in already, hence 'SSO', but they need to consent again, in this case against the very same app they consented to a moment before].
所以,我的问题是,有什么任何方法可以安全地验证现有令牌?
So, my question is, is there any way to safely verify the existing token?
推荐答案
该图的AAD令牌不适用于您的应用程序/服务,因此您不应尝试对其进行验证甚至解码.在某些情况下,令牌可能会被加密,从而阻止您甚至将其破解.您可以使用Graph令牌安全地执行的唯一操作就是使用它调用Graph API(只要令牌具有必要的范围).如果令牌没有必要的范围,那么您将从图形返回错误.
An AAD token for the Graph is not meant for your app/services and you should not be attempting to validate or even decode it. In some cases, the token could be encrypted thus preventing you from even cracking it open. The only thing you can safely do with a Graph token is call a Graph API with it (as long as the token has the necessary scopes). If the token doesn't have the necessary scopes then you will get an error back from the Graph.
您能帮助我更好地了解您的情况吗?您如何生成此图令牌?通常,当您使用Tab SSO时,Teams生成的令牌不适用于Graph.它是您在AAD中注册并在应用清单的webApplicationInfo部分中列出的Web API的名称.要调用下游Graph API,您需要通过AAD的OBO流交换此令牌: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Can you help me understand your scenario better? How are you generating this Graph token? In general, when you use Tab SSO the token generated by Teams is not for the Graph; it's for your Web API that you registered with AAD and listed in your app manifest's webApplicationInfo section. To call downstream Graph APIs you would need to exchange this token via AAD's OBO flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
如果您的应用未获得必要的同意,则此交换将失败,您可以将其用作触发弹出式验证流程并获得用户同意的信号.在此处记录: https://docs.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso
If your app doesn't have the necessary consent then this exchange will fail which you can use as a signal to trigger a popup authentication flow and get the user's consent. This is documented here: https://docs.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso
这篇关于验证Microsoft Graph JWT令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
