如何使用 Azure Easy Auth 获取访问令牌? [英] How to gain access tokens using Azure Easy Auth?
问题描述
我有一个使用 React 和 Web API 构建的单页应用程序 (SPA),两者都托管在 Azure 的应用程序服务上.身份验证由 Azure AD 提供.
I have a Single Page Appplication (SPA) built using React and a Web API, both of which are hosted on Azure's App Service. Authentication is provided by Azure AD.
我一直在使用适用于 JavaScript 的 Active Directory 身份验证库 (ADAL).尽管所有示例似乎都是关于 Angular 的,但我已经设法让库的纯 JavaScript 版本与 React 应用程序一起使用.我已使用 OAuth2 隐式授权流程通过 SPA 最终提供对 Web API 的经过身份验证的访问.
I have been using the Active Directory Authentication Library (ADAL) for JavaScript. While all the examples seem to be about Angular, I have managed to get the pure JavaScript version of the library working with the React application. I have used the OAuth2 implicit grant flow to utimately provide authenticated access to the Web API via the SPA.
ADAL 一切正常,但这种方法需要您有登录和注销机制(例如,通过按钮).授权代码作为片段添加到 URL 中,而 ADAL 可以方便地完成其余工作.但是,我希望整个应用程序是安全的/经过身份验证的,因此我设置了Easy Auth" - 通过应用服务进行身份验证.
Everything works fine with ADAL, but this approach requires you to have a login and logout mechanism (eg. via a button). The authorization code is added to the URL as a fragment and ADAL conveniently does the rest. However, I would like the entire application to be secure/authenticated and so I have setup "Easy Auth" - authentication via the App Service.
使用Easy Auth"时,您登录到应用程序,但 URL 中没有返回片段,因此 ADAL 不能用于获取 API 的访问令牌.
When working with "Easy Auth" you sign-on to the application but there is no fragment returned in the URL and so ADAL cannot be used to acquire an access token for the API.
在使用Easy Auth"时,获得隐式授权所需的访问令牌的最佳方法是什么?有没有办法将 ADAL 合并到Easy Auth"流程中?
What is the best way to gain access tokens like those needed for implicit grant when using "Easy Auth"? Is there a way to incorporate ADAL into an "Easy Auth" flow?
谢谢.
推荐答案
如果将单页应用和Web API部署到同一个Azure的应用服务中,并使用Easy Auth保护应用服务,则无需使用adal现在在单页应用程序中调用 Web API.
If you deploy the single page application and web API into the same Azure's app service and protect the app service using the Easy Auth, there is no necessary to use adal in the single page application to call the web API now.
在这种情况下,您可以通过服务器流登录应用服务,然后您可以直接调用 Web API,因为 Easy Auth 将通过 cookie 对请求进行身份验证.如果 Web API 还为您要使用令牌调用的其他客户端提供服务,您需要使用 Azure AD 应用程序获取 id_token/access_token,该应用程序保护应用程序服务并使用 Azure AD 颁发的 id_token/access_token 交换身份验证令牌.这种进展称为客户流.
In this scenario, you are able to login the app service via the server-flow and then you can call the web API directly since the Easy Auth will authenticate the request via the cookies. And if the web API also server other clients you want to call using the token, you need to get the id_token/access_token using the Azure AD app which you protect the app service and exchange the authentication token using id_token/access_token issued by Azure AD. This progress is called client-flow.
有关这两个流程的更多详细信息,您可以参考链接 这里.
More detail about these two flows, you can refer link here.
这篇关于如何使用 Azure Easy Auth 获取访问令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
