验证针对的Azure移动服务应用与ADAL.js获得令牌 [英] Authenticate against an Azure Mobile Service App with ADAL.js acquired token
问题描述
我试图验证对一个的Azure移动服务应用一个HTML应用程序。
I'm trying to authenticate a HTML app against an Azure Mobile Service app.
这两个应用程序使用AAD的认证后端,所以这两个应用必须在Active Directory中注册的应用程序:
Both apps use AAD as authentication backend, so both apps have an application registered in the Active Directory:
的Azure移动服务应用:
Azure Mobile Service app:
- 配置为<一个描述href=\"https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-how-to-register-active-directory-authentication/\">https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-how-to-register-active-directory-authentication/
- 我编辑的清单,以使客户端流量
- 启用单点登录和读取用户配置文件,权限到其他应用程序的Windows Azure的活动目录 在
HTML应用程序:
- 在权限到其他应用程序。我补充在Azure移动服务应用程序与授权许可准入
Azure的移动服务使用.NET的后端,在那里我包括在内,在<一个描述配置的NuGet包微软的Azure移动服务.NET后端安全扩展 href=\"https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-dotnet-backend-windows-phone-get-started-users/\">https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-dotnet-backend-windows-phone-get-started-users/
The Azure Mobile Service uses a .NET backend, where i included and configured the NuGet Package "Microsoft Azure Mobile Services .NET Backend Security Extension" as described in https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-dotnet-backend-windows-phone-get-started-users/
中的HTML应用程序使用ADAL.JS和角度:
The HTML app uses ADAL.JS and Angular:
adalAuthenticationServiceProvider.init(
{
// Config to specify endpoints and similar for your app
clientId: "<html app aad client id>",
redirectUri: "<html app redirect uri>",
endpoints: {
'<AMS app client id>': 'https://ampapp.azure-mobile.net/'
}
},
$httpProvider
);
此设置正常工作,我打开我的HTML应用程序,验证对Azure的AD,得到重定向到我的应用程序,我登录。此外,当我尝试访问我的Azure移动服务我看到Adal.js注射承载令牌。
This setup works as expected, i open my html app, authenticate against Azure AD, get a redirect to my App and I'm logged in. Also, when i try to access my Azure Mobile Service i see that Adal.js injects the bearer token.
承载令牌不被Azure的移动服务接受 - 我得到未授权401。我不知道为什么,但在Azure移动服务使用它自己的认证头 - 但确定。
The bearer token is not accepted by the Azure Mobile Service - i get a 401 not authorized. I don't know why, but the Azure Mobile Service uses it's own authentication header - but ok.
MSDN定义了一个所谓的客户导向的登录操作为在Azure移动服务:
MSDN defines a so called "Client-directed login operation" for the Azure Mobile Service:
通过使用从标识提供者已经获得身份令牌请求来自微软的Azure移动服务的身份验证令牌。 (<一href=\"https://msdn.microsoft.com/en-us/library/azure/jj710106.aspx\">https://msdn.microsoft.com/en-us/library/azure/jj710106.aspx)
"Requests an authentication token from Microsoft Azure Mobile Services by using an identity token already obtained from an identity provider." (https://msdn.microsoft.com/en-us/library/azure/jj710106.aspx)
好了,所以让我们做到这一点:
Ok, so lets do this:
// obtain token for Azure Mobile Service from Adal.js
var token = this.getAADToken(ZUMOAuthenticationProvider.Config().url);
$http({
method: 'POST',
url: ZUMOAuthenticationProvider.Config().url + 'login/aad',
data: JSON.stringify({
"access_token" : token
}),
headers: {
'X-ZUMO-APPLICATION': '<application key>'
}).
success(function (data, status, headers, config) {
alert(data);
}).
error(function (data, status, headers, config) {
alert(data);
});
请注意:由第一线获取的令牌是真正为蔚蓝色的移动服务AAD应用程序的访问令牌,而不是为HTML应用程序。
Note: The token acquired by the first line is really a the access token for the azure mobile service aad application and not for the HTML app.
这POST请求也得到一个401响应。因此,我不知道如何来验证我的应用程序。我也试过在蔚蓝色的移动服务的js库。这LIB作品,但它使用的身份验证的弹出,但我不喜欢另一个库添加到我的项目只有几个REST调用。
This POST request also gets a 401 response. So i don't know how to authenticate my app. I also tried the azure mobile service js lib. This lib works, but it uses a popup for authentication, but i don't like to add another library to my projects for just a few REST calls.
在试图解决我的问题,我发现了其他岗位#1:
When trying to solve my problems i found other Stackoverflow post:
<一个href=\"http://stackoverflow.com/questions/30513990/why-isnt-my-azure-mobile-service-accepting-the-bearer-token-adal-js-is-sending/30575090#30575090\">Why是不是我的Azure移动服务接受承载令牌ADAL.js发送呢?
- 同样的问题,没有解决方案(即使在最后一个注释链接的chatlog)
<一个href=\"http://stackoverflow.com/questions/30381395/how-do-i-secure-an-azure-mobile-service-with-azure-ad-adal-js\">How我做一个安全的Azure移动服务的Azure与AD? ADAL.JS
- 同一作者如上,我检查了接受的答案提到的一切,但它不能正常工作
我也看了一下从新Azure管理门户网站新的Azure移动应用,但似乎他们都使用相同的认证机制。
I also took a look at the new Azure Mobile apps from the new Azure Management portal but it seems that they are using the same authentication mechanism.
所以,我怎么能得到这个工作?
So, how can i get this working?
推荐答案
好吧,我发现我的错误:
Ok, i found my bug:
endpoints: {
'<AMS app client id>': 'https://ampapp.azure-mobile.net/'
}
这应该是
endpoints: {
'https://ampapp.azure-mobile.net/': '<AMS app id uri>':
}
在此之后它的作品!我goind发布一个角向模件GitHub上,一个注入令牌在X验证用户头像adal.js每个请求呢。
After this it works! I'm goind to publish a Angular modul to github which injects the token in the X-Auth-User header to every request like adal.js does.
编辑:
由于在这里许下了更详细的回答是:
As promised here a more detailed answer:
正如我在问题中提到你必须设置在Azure中的Active Directory 2应用程序:
As mentioned in my question you have to setup 2 applications in Azure Active Directory:
- 对于在Azure移动服务的AAD应用
- 只要按照此<一个指令href=\"https://azure.microsoft.com/en-gb/documentation/articles/mobile-services-how-to-register-active-directory-authentication/\"相对=nofollow>文章
- an AAD app for the Azure Mobile Service
- just follow the instructions from this article
- 将oauth2AllowImplicitFlow为true
- 李在权限到其他应用程序中添加的Azure移动服务应用AAD >
配置角度应用使用的Azure移动服务作为终点
Configure the Angular app to use the Azure Mobile Service as an endpoint
adalAuthenticationServiceProvider.init( { clientId:"54110492-4ae3-4c9f-9530-3101458d43fb", redirectUri: "https://localhost:44304/", endpoints: { 'https://zumodemoapp.azure-mobile.net/': 'https://zumodemoapp.azure-mobile.net/login/aad' } }, $httpProvider );
现在,你可以使用客户导向的登录操作得到的Azure移动服务的身份验证令牌。
Now you can use the Client-directed login operation to get a Azure Mobile Service authentication token.
var zumoAppID = 'https://zumodemoapp.azure-mobile.net/login/aad'; var zumoLoginUri = 'https://zumodemoapp.azure-mobile.net/login/aad'; var zumoTodoController = 'https://zumodemoapp.azure-mobile.net/tables/TodoItem'; // 1. acquire a oath token for our zumo app from azure ad via adal.js adalAuthenticationService.acquireToken(zumoAppID).then(function (data) { //2. we have the azure ad token, lets get a azure mobile service token $http.post(zumoLoginUri, JSON.stringify({ "access_token": data })). success(function (data, status, headers, config) { //3. with the azure mobile service token we can authenticate our request $http.get(zumoTodoController, { headers: { 'X-ZUMO-AUTH': data.authenticationToken } }). success(function (data, status, headers, config) { alert(data); //yay! }); }). error(function (data, status, headers, config) { alert(data); }); });
作为我创建了一个更详细的博客帖子的此处。如果您需要了解更多信息,请发表评论。)
As mentioned in the comment I created a more detailed blog post here. If you need more information please leave a comment :).
这篇关于验证针对的Azure移动服务应用与ADAL.js获得令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!