使用 MIcrosoft Graph (accessToken) 进行 Firebase 身份验证 [英] firebase auth with MIcrosoft Graph (accessToken)

查看:46
本文介绍了使用 MIcrosoft Graph (accessToken) 进行 Firebase 身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我非常希望有人能帮助我 - 我有点卡住了.

I am super hopeful someone can help me - I'm kind of stuck.

我很高兴将 Firebase 身份验证与 Microsoft AD 结合使用.我的 AuthProvider 是 firebase.auth.OAuthProvider('microsoft.com').

I'm happily using firebase auth with Microsoft AD. My AuthProvider is firebase.auth.OAuthProvider('microsoft.com').

当我使用该提供程序调用 firebase.auth().signInWithPopup() 时,一切正常.我可以从生成的 UserCredential 中挑选出 accessToken 并访问 Microsoft Graph api 没问题(是的!).

When I call firebase.auth().signInWithPopup() with that provider, everything works GREAT. I can pick out the accessToken from the resulting UserCredential and access Microsoft Graph api's no problem (yay!).

Firebase 持续并更新身份验证,当用户稍后返回我的 SPA 时,我的应用程序通过 onAuthStateChanged 使用新的 firebase.User 获得预期的回调(也是!).

Firebase persists and renews the authentication and my app gets the expected callback via onAuthStateChanged with the new firebase.User when the user returns to my SPA later (also yay!).

坏消息(我遇到的问题)是:我如何在此流程中获取 Microsoft Graph accessToken(例如,当用户稍后返回到我的应用程序)?我不希望他们必须使用另一个弹出窗口重新进行身份验证(是的).

The bad news (where I'm stuck) is: how do I get the Microsoft Graph accessToken in this flow (e.g. when the user returns to my app later)? I don't want them to have to re-authenticate with another popup (yech).

基本上,当用户返回时,我如何从有效的 firebase.User 转到 MS Graph accessToken?

Basically, how do I go from a valid firebase.User to a MS Graph accessToken when the user returns?

非常感谢您的帮助!

推荐答案

UPDATE/answer: 所以结果比我想象的要简单:

UPDATE/answer: so it turns out to be simpler than I thought:

基本思想是使用 firebase 进行身份验证(重新身份验证),并使用 相同的 clientID 进行静默 microsoft 身份验证.但是,您必须提供一个loginHintmicrosoft auth 的参数,即使您之前已获得授权.登录提示可以成为 firebase 用户的电子邮件地址...

The basic idea is to authenticate (re-authenticate) using firebase and use the same clientID for silent microsoft authentication. However, you must supply a loginHint parameter to the microsoft auth, even if you were previously authorized. loginHint can be the email address for the firebase user...

在这种情况下,身份验证是共享的,您不需要为microsoft half"弹出第二次登录.过程 - Firebase 身份验证工作正常.

In that scenario, the authentication is shared and you won't need to popup a second sign-in for the "microsoft half" of the process - the firebase auth works fine.

我最终使用了微软的 MSAL 库(https://github.com/AzureAD/microsoft-authentication-library-for-js)...类似这样:

I ended up using microsoft's MSAL library (https://github.com/AzureAD/microsoft-authentication-library-for-js)... something like this:

const graphDebug = false;
const msalLogger = new Logger(msalLogCallback, { level: LogLevel.Error });

export async function graphClient(loginHint: string) {
  const msal = new UserAgentApplication({
    // gotcha: MUST set the redirectUri, otherwise get weird errors when msal
    // tries to refresh an expired token.
    auth: { clientId: CLIENT_ID, redirectUri: window.location.origin },
    system: { logger: msalLogger },
    // TODO: should we set cache location to session/cookie?
  });

  /**
   * Create an authprovider for use in subsequent graph calls. Note that we use
   * the `aquireTokenSilent` mechanism which works because firebase has already
   * authenticated this user once, so we can share the single sign-on.
   *
   * In order for that to work, we must pass a `loginHint` with the user's
   * email. Failure to do that is fatal.
   */
  const authProvider: AuthProvider = callback => {
    msal
      .acquireTokenSilent({ scopes: SCOPES, loginHint })
      .then(result => {
        callback(null, result.accessToken);
      })
      .catch(err => callback(err, null));
  };

  const client = Client.init({
    authProvider,
    debugLogging: graphDebug,
  });

  return client;
}

这篇关于使用 MIcrosoft Graph (accessToken) 进行 Firebase 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆