验证针对的Azure移动服务应用与ADAL.js获得令牌 [英] Authenticate against an Azure Mobile Service App with ADAL.js acquired token

查看:307
本文介绍了验证针对的Azure移动服务应用与ADAL.js获得令牌的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我试图验证对一个的Azure移动服务应用一个HTML应用程序。

I'm trying to authenticate a HTML app against an Azure Mobile Service app.

这两个应用程序使用AAD的认证后端,所以这两个应用必须在Active Directory中注册的应用程序:

Both apps use AAD as authentication backend, so both apps have an application registered in the Active Directory:

的Azure移动服务应用:

Azure Mobile Service app:


  • 配置为<一个描述href=\"https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-how-to-register-active-directory-authentication/\">https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-how-to-register-active-directory-authentication/

  • 我编辑的清单,以使客户端流量

  • 启用单点登录和读取用户配置文件,权限到其他应用程序的Windows Azure的活动目录

HTML应用程序:


  • 在权限到其他应用程序。我补充在Azure移动服务应用程序与授权许可准入

Azure的移动服务使用.NET的后端,在那里我包括在内,在<一个描述配置的NuGet包微软的Azure移动服务.NET后端安全扩展 href=\"https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-dotnet-backend-windows-phone-get-started-users/\">https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-dotnet-backend-windows-phone-get-started-users/

The Azure Mobile Service uses a .NET backend, where i included and configured the NuGet Package "Microsoft Azure Mobile Services .NET Backend Security Extension" as described in https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-dotnet-backend-windows-phone-get-started-users/

中的HTML应用程序使用ADAL.JS和角度:

The HTML app uses ADAL.JS and Angular:

adalAuthenticationServiceProvider.init(
{
    // Config to specify endpoints and similar for your app
    clientId: "<html app aad client id>",
    redirectUri: "<html app redirect uri>",
    endpoints: {
        '<AMS app client id>': 'https://ampapp.azure-mobile.net/'
    }
},
$httpProvider
);

此设置正常工作,我打开我的HTML应用程序,验证对Azure的AD,得到重定向到我的应用程序,我登录。此外,当我尝试访问我的Azure移动服务我看到Adal.js注射承载令牌。

This setup works as expected, i open my html app, authenticate against Azure AD, get a redirect to my App and I'm logged in. Also, when i try to access my Azure Mobile Service i see that Adal.js injects the bearer token.

承载令牌不被Azure的移动服务接受 - 我得到未授权401。我不知道为什么,但在Azure移动服务使用它自己的认证头 - 但确定。

The bearer token is not accepted by the Azure Mobile Service - i get a 401 not authorized. I don't know why, but the Azure Mobile Service uses it's own authentication header - but ok.

MSDN定义了一个所谓的客户导向的登录操作为在Azure移动服务:

MSDN defines a so called "Client-directed login operation" for the Azure Mobile Service:

通过使用从标识提供者已经获得身份令牌请求来自微软的Azure移动服务的身份验证令牌。 (<一href=\"https://msdn.microsoft.com/en-us/library/azure/jj710106.aspx\">https://msdn.microsoft.com/en-us/library/azure/jj710106.aspx)

"Requests an authentication token from Microsoft Azure Mobile Services by using an identity token already obtained from an identity provider." (https://msdn.microsoft.com/en-us/library/azure/jj710106.aspx)

好了,所以让我们做到这一点:

Ok, so lets do this:

 // obtain token for Azure Mobile Service from Adal.js
 var token = this.getAADToken(ZUMOAuthenticationProvider.Config().url);

 $http({
        method: 'POST',
        url: ZUMOAuthenticationProvider.Config().url + 'login/aad', 
        data: JSON.stringify({
                  "access_token" : token 
              }),
        headers: {
                 'X-ZUMO-APPLICATION': '<application key>'
       }).
       success(function (data, status, headers, config) {
            alert(data);
       }).
       error(function (data, status, headers, config) {
            alert(data);
       });

请注意:由第一线获取的令牌是真正为蔚蓝色的移动服务AAD应用程序的访问令牌,而不是为HTML应用程序。

Note: The token acquired by the first line is really a the access token for the azure mobile service aad application and not for the HTML app.

这POST请求也得到一个401响应。因此,我不知道如何来验证我的应用程序。我也试过在蔚蓝色的移动服务的js库。这LIB作品,但它使用的身份验证的弹出,但我不喜欢另一个库添加到我的项目只有几个REST调用。

This POST request also gets a 401 response. So i don't know how to authenticate my app. I also tried the azure mobile service js lib. This lib works, but it uses a popup for authentication, but i don't like to add another library to my projects for just a few REST calls.

在试图解决我的问题,我发现了其他岗位#1:

When trying to solve my problems i found other Stackoverflow post:

<一个href=\"http://stackoverflow.com/questions/30513990/why-isnt-my-azure-mobile-service-accepting-the-bearer-token-adal-js-is-sending/30575090#30575090\">Why是不是我的Azure移动服务接受承载令牌ADAL.js发送呢?


  • 同样的问题,没有解决方案(即使在最后一个注释链接的chatlog)

<一个href=\"http://stackoverflow.com/questions/30381395/how-do-i-secure-an-azure-mobile-service-with-azure-ad-adal-js\">How我做一个安全的Azure移动服务的Azure与AD? ADAL.JS


  • 同一作者如上,我检查了接受的答案提到的一切,但它不能正常工作

我也看了一下从新Azure管理门户网站新的Azure移动应用,但似乎他们都使用相同的认证机制。

I also took a look at the new Azure Mobile apps from the new Azure Management portal but it seems that they are using the same authentication mechanism.

所以,我怎么能得到这个工作?

So, how can i get this working?

推荐答案

好吧,我发现我的错误:

Ok, i found my bug:

endpoints: {
    '<AMS app client id>': 'https://ampapp.azure-mobile.net/'
}

这应该是

endpoints: {
    'https://ampapp.azure-mobile.net/': '<AMS app id uri>': 
}

在此之后它的作品!我goind发布一个角向模件GitHub上,一个注入令牌在X验证用户头像adal.js每个请求呢。

After this it works! I'm goind to publish a Angular modul to github which injects the token in the X-Auth-User header to every request like adal.js does.

编辑:

由于在这里许下了更详细的回答是:

As promised here a more detailed answer:

正如我在问题中提到你必须设置在Azure中的Active Directory 2应用程序:

As mentioned in my question you have to setup 2 applications in Azure Active Directory:


  • 对于在Azure移动服务的AAD应用

    • 只要按照此<一个指令href=\"https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-how-to-register-active-directory-authentication/\"相对=nofollow>文章

    • an AAD app for the Azure Mobile Service
      • just follow the instructions from this article

      • 将oauth2AllowImplicitFlow为true


      配置角度应用使用的Azure移动服务作为终点

      Configure the Angular app to use the Azure Mobile Service as an endpoint

      adalAuthenticationServiceProvider.init(
{
    clientId:"54110492-4ae3-4c9f-9530-3101458d43fb",
    redirectUri: "https://localhost:44304/",
    endpoints: {
        'https://zumodemoapp.azure-mobile.net/': 'https://zumodemoapp.azure-mobile.net/login/aad'
    }
},
$httpProvider
);

      现在,你可以使用客户导向的登录操作得到的Azure移动服务的身份验证令牌。

      Now you can use the Client-directed login operation to get a Azure Mobile Service authentication token.

      var zumoAppID = 'https://zumodemoapp.azure-mobile.net/login/aad';
var zumoLoginUri = 'https://zumodemoapp.azure-mobile.net/login/aad';
var zumoTodoController = 'https://zumodemoapp.azure-mobile.net/tables/TodoItem';

// 1. acquire a oath token for our zumo app from azure ad via adal.js
adalAuthenticationService.acquireToken(zumoAppID).then(function (data) {
     //2. we have the azure ad token, lets get a azure mobile service token
     $http.post(zumoLoginUri,
                JSON.stringify({
                    "access_token": data
                })).
                success(function (data, status, headers, config) {
                    //3. with the azure mobile service token we can authenticate our request
                    $http.get(zumoTodoController,
                                          {
                                              headers:  {
                                                      'X-ZUMO-AUTH': data.authenticationToken
                                              }
                                          }).
                                          success(function (data, status, headers, config) {
                                              alert(data); //yay!
                                          });
                }).
                error(function (data, status, headers, config) {
                    alert(data);
                });
});

      作为我创建了一个更详细的博客帖子的此处。如果您需要了解更多信息,请发表评论。)

      As mentioned in the comment I created a more detailed blog post here. If you need more information please leave a comment :).

      这篇关于验证针对的Azure移动服务应用与ADAL.js获得令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
C#/.NET最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆