带有 MIcrosoft Graph (accessToken) 的 firebase 身份验证 [英] firebase auth with MIcrosoft Graph (accessToken)

问题描述

我非常希望有人可以帮助我 - 我有点卡住了.

I am super hopeful someone can help me - I'm kind of stuck.

我很高兴将 firebase auth 与 Microsoft AD 结合使用.我的 AuthProvider 是 firebase.auth.OAuthProvider('microsoft.com').

I'm happily using firebase auth with Microsoft AD. My AuthProvider is firebase.auth.OAuthProvider('microsoft.com').

当我使用该提供商调用 firebase.auth().signInWithPopup() 时，一切正常.我可以从生成的 UserCredential 中挑选出 accessToken 并访问 Microsoft Graph api 没问题(耶！).

When I call firebase.auth().signInWithPopup() with that provider, everything works GREAT. I can pick out the accessToken from the resulting UserCredential and access Microsoft Graph api's no problem (yay!).

Firebase 持续并更新身份验证，当用户稍后返回我的 SPA 时，我的应用程序通过 onAuthStateChanged 获得预期的回调(也可以！).

Firebase persists and renews the authentication and my app gets the expected callback via onAuthStateChanged with the new firebase.User when the user returns to my SPA later (also yay!).

坏消息(我遇到困难的地方)是:我如何在这个流程中获取 Microsoft Graph accessToken(例如，当用户稍后返回我的应用程序)?我不希望他们必须使用另一个弹出窗口重新进行身份验证(yech).

The bad news (where I'm stuck) is: how do I get the Microsoft Graph accessToken in this flow (e.g. when the user returns to my app later)? I don't want them to have to re-authenticate with another popup (yech).

基本上，当用户返回时，我如何从有效的 firebase.User 转到 MS Graph accessToken?

Basically, how do I go from a valid firebase.User to a MS Graph accessToken when the user returns?

非常感谢您的帮助！

推荐答案

更新/回答:结果比我想象的要简单:

UPDATE/answer: so it turns out to be simpler than I thought:

基本思想是使用 firebase 进行身份验证(重新身份验证)，并使用 相同的 clientID 进行静默 Microsoft 身份验证.但是，您必须提供 loginHintmicrosoft auth 的参数，即使您之前已获得授权.loginHint 可以是 firebase 用户的电子邮件地址...

The basic idea is to authenticate (re-authenticate) using firebase and use the same clientID for silent microsoft authentication. However, you must supply a loginHint parameter to the microsoft auth, even if you were previously authorized. loginHint can be the email address for the firebase user...

在这种情况下，身份验证是共享的，您无需为microsoft half"弹出第二次登录.该过程的 - firebase 身份验证工作正常.

In that scenario, the authentication is shared and you won't need to popup a second sign-in for the "microsoft half" of the process - the firebase auth works fine.

我最终使用了微软的 MSAL 库 (https://github.com/AzureAD/microsoft-authentication-library-for-js)...类似这样的:

I ended up using microsoft's MSAL library (https://github.com/AzureAD/microsoft-authentication-library-for-js)... something like this:

const graphDebug = false;
const msalLogger = new Logger(msalLogCallback, { level: LogLevel.Error });

export async function graphClient(loginHint: string) {
  const msal = new UserAgentApplication({
    // gotcha: MUST set the redirectUri, otherwise get weird errors when msal
    // tries to refresh an expired token.
    auth: { clientId: CLIENT_ID, redirectUri: window.location.origin },
    system: { logger: msalLogger },
    // TODO: should we set cache location to session/cookie?
  });

  /**
   * Create an authprovider for use in subsequent graph calls. Note that we use
   * the `aquireTokenSilent` mechanism which works because firebase has already
   * authenticated this user once, so we can share the single sign-on.
   *
   * In order for that to work, we must pass a `loginHint` with the user's
   * email. Failure to do that is fatal.
   */
  const authProvider: AuthProvider = callback => {
    msal
      .acquireTokenSilent({ scopes: SCOPES, loginHint })
      .then(result => {
        callback(null, result.accessToken);
      })
      .catch(err => callback(err, null));
  };

  const client = Client.init({
    authProvider,
    debugLogging: graphDebug,
  });

  return client;
}

这篇关于带有 MIcrosoft Graph (accessToken) 的 firebase 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！