护照天蓝色广告:使用哪种策略 [英] passport-azure-ad: which strategy to use

问题描述

我们在 AngularJS 中开发了前端，在 NodeJs 中开发了后端 API.我们使用 Azure AD 进行身份验证.前端 Angular 使用 adal-angular javascript 库进行 azure 身份验证.因此，当用户访问网站时，他会被重定向到 https://login.microsoftonline.com 并通过成功的身份验证他被重定向回我们的网站.到目前为止一切顺利.
我必须使用 passport-azure-ad 库来保护后端 api.只有前端调用这些 API.使用此库有两种可用的策略
1> OAuth2Bearer 策略
2> OIDCStrategy for Open ID Connect

We have front end developed in AngularJS and backend APIs in NodeJs. We are using Azure AD for authentication. Frontend Angular is using adal-angular javascript library for azure authentication. So when user comes to web site, he gets redirected to https://login.microsoftonline.com and upon successful authentication he gets redirected back to our web site. So far so good.
I have to protect backend api’s using passport-azure-ad library. Only the frontend is calling these APIs. There are two strategies available using this library
1> OAuth2Bearer strategy
2> OIDCStrategy for Open ID Connect

我的印象是 Azure AD 默认使用 OpenID Connect 进行身份验证.所以我打算使用 OIDCStrategy 来保护 Node web api 作为 在这里讨论过
但是在提琴手中，我看到以下请求客户端(即角度前端)在调用 Web API 时正在发出

I was under impression Azure AD by default uses OpenID Connect for authentication. So I was planning to use OIDCStrategy to protect Node web api as discussed here
However in fiddler I see the following request client (i.e angular frontend) is making when it invokes web API

GET http://localhost:4030/api/getemployees HTTP/1.1  
Host: localhost:4030  
Connection: keep-alive  
Accept: application/json, text/plain, */*  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36  
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi………………………  
Referer: http://localhost:4030/  
Accept-Encoding: gzip, deflate, sdch  
Accept-Language: en-US,en;q=0.8  

注意授权标签以 Bearer" 开头，所以我假设客户端正在向服务器发送 Bearer 令牌.

Note Authorization tag starts with "Bearer" so I am assuming client is sending Bearer token to the server.

问
1>我应该在这里使用哪种策略?
2>我们什么时候应该使用一个而不是另一个?

Q
1>which strategy I should be using here?
2>when should we use one over the other?

推荐答案

我维护 passport-azure-ad.这里的区别在于授权"和认证".

I maintain passport-azure-ad. The difference here is between "authorization" and "authentication".

OAuth2 用于授权(我可以访问这个吗?).

OAuth2 is used for authorization (do I have access to this?).

OpenID Connect 用于身份验证(这就是我).

OpenID Connect is used for authentication (this is who I am).

当您连接到 Web API 时，用户很可能已经拥有身份(他们已经通过身份验证)，现在您只想确保用户可以访问 API(授权).OAuth2 用于保护资源并使用来自 IdP 的令牌以确保令牌有效并且用户有权访问该资源.Bearer 只是我们(和行业)用于 OAuth2 的令牌类型.如果有人在没有令牌的情况下来找您，您会拒绝他们，然后由打电话给您的客户知道将他们带到哪里以获得您需要的正确令牌.

When you are connecting to web APIs, the user most likely already has an identity (they've been through authentication) and now you just want to ensure that the user has access to the APIs (authorization). OAuth2 is used to protect resources and consumes tokens from an IdP to ensure tokens are valid and that the user has access to that resource. Bearer is just the type of token that we (and the industry) use for OAuth2. If someone comes to you without a token at all, you reject them and then it's up to the client that called you to know where to take them to get the right token you need.

OpenID Connect 建立在 OAuth2 之上，纯粹是为了让人们登录并获取您最终将发送到 Web API 的令牌(这反过来将使用 OAuth2 和 Bearer 令牌).所以 OpenID Connect 用于身份验证.

OpenID Connect is built on top of OAuth2 and is purely for logging people in and getting the tokens that you will then eventually send to a Web API (which would in turn use OAuth2 with Bearer token). So OpenID Connect is used for authentication.

在您的场景中，您使用的是 Angular，它正在为您执行 OpenID Connect 身份验证，因此您的 Web API 应该使用 Bearer 策略.

In your scenario you are using Angular which is doing the OpenID Connect authentication for you, so your Web APIs should be using The Bearer strategy.

我在这里编写了一个示例，可以引导您完成所有这些操作:https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-webapi-nodejs/ 使用 MEAN 堆栈，并且使用 iOS我作为前端编写的示例应用程序.使用这两种方法，很容易看出一个作为身份验证部分(iOS 应用程序)，而另一个则坐在那里并保护作为授权部分的 API(node.js 应用程序)

I have written a sample that walks you through all of this here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-webapi-nodejs/ that uses the MEAN stack, and which uses an iOS sample application I wrote as a front end. Playing with both of these, it's easy to see how one acts as the authentication piece (iOS app) and the other sits there and protects the API acting as the authorization piece (the node.js app)

node.js 应用程序的代码:https://github.com/Azure-Samples/active-directory-node-webapi

Code for node.js app: https://github.com/Azure-Samples/active-directory-node-webapi

iOS 应用代码:https://github.com/Azure-Samples/active-directory-ios

在此处更深入地了解这些主题:https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/

Deeper dive in to these topics is here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/

如果您有任何其他问题，请告诉我！

Let me know if you have any other questions!

这篇关于护照天蓝色广告:使用哪种策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！