在 Azure Active Directory 上启用 CORS [英] Enabling CORS on Azure Active Directory

查看:30
本文介绍了在 Azure Active Directory 上启用 CORS的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试在 Angular 6 应用程序中使用以下方法以编程方式从 Azure Active Directory 获取访问令牌.

I am trying to get a access token from Azure Active Directory programmatically using the following method in an Angular 6 application.

    let body1 = new FormData()
    body1.append("resource", environment.config.clientId)
    body1.append("grant_type", "client_credentials")
    body1.append("client_id", environment.config.clientId)
    body1.append("client_secret", "*****")

    return this._http.post("https://login.microsoftonline.com/" + environment.config.tenant + "/oauth2/token", body1)

我能够通过 Postman 中的这个 url 检索访问令牌,但在通过我的应用程序调用它时被 CORS 阻止.错误如下.

I was able to retrieve an access token through this url in Postman but am blocked by CORS when calling it through my application. Error is below.

    Failed to load https://login.microsoftonline.com/*****/oauth2/token: 
Response to preflight request doesn't pass access control check: No 'Access-
Control-Allow-Origin' header is present on the requested resource. Origin 
'http://localhost:4200' is therefore not allowed access.

那么,如何在 Azure Active Directory 上为所有域启用 CORS?

So, how do I enabled CORS on the Azure Active Directory for all domains?

推荐答案

简单,你不用.

您正在做的是向公众公开您应用的客户端机密.请记住,请求将来自用户的设备.所以他们可以观察它并捕获你的秘密.这就是令牌端点不支持 CORS 并且可能永远不会支持的原因.

What you are doing is exposing your app's client secret to the public. Remember that the request will be made from the user's device. So they can observe it and capture your secret. This is why the token endpoint does not support CORS, and probably never will.

更新:令牌端点现在支持 CORS,如果您使用 SPA 平台配置回复 URL.这允许将授权代码流与 PKCE 一起使用.MSAL.js 2.0 支持此流程.请注意,这仍然不涉及客户端机密.

UPDATE: The token endpoint does now support CORS, if you configure a reply URL with the SPA platform. This allows usage of Authorization Code flow with PKCE. MSAL.js 2.0 supports this flow. Note this still does not involve a client secret.

从前端 JS 应用程序获取令牌的方法是将隐式授权流或授权代码流与 PKCE 结合使用.或者,如果您确实需要一个仅限应用的令牌,那么您必须从后端应用程序执行您尝试过的请求.

The way to acquire tokens from a front-end JS app is to use Implicit Grant Flow or Authorization Code flow with PKCE. Or if you do need an app-only token, then you must do the request you tried from a back-end application.

隐式授权流程允许您在用户登录时直接从授权端点获取令牌.您可以使用 ADAL.JS/MSAL.JS 来协助处理.没有用户身份就不能拥有令牌,因为您的原生应用无法证明其身份.

Implicit grant flow allows you to get tokens directly from the authorization endpoint as the user signs in. You can use ADAL.JS/MSAL.JS to assist in this. You cannot have tokens without a user identity as your native app cannot prove its identity.

这篇关于在 Azure Active Directory 上启用 CORS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆