为什么我的Azure移动服务接受承载令牌ADAL.js发送呢? [英] Why isn't my Azure Mobile Service accepting the bearer token ADAL.js is sending it?
问题描述
我使用隐式流ADAL.js认证的AngularJS应用能够访问的Azure移动服务API。
I am using ADAL.js with implicit flow to authenticate an AngularJS app to be able to access an Azure Mobile Services API.
我已经建立了Azure的AD身份信息如下...
I have set up Azure AD identity information in the Identity tab of the AMS (azure mobile service) as follows...
该应用程序的URL设置为:https://开头<> .azure-mobile.net /登录/ AAD
The app url is set to: https://<>.azure-mobile.net/login/aad
客户端ID是从公元Azure的设置应用程序的客户端id。
The client id is the client id from the application set up in the Azure AD.
允许的租户为:&LT;> onmicrosoft.com
The allowed tenant is: <>.onmicrosoft.com
头被包括在GET请求:授权:承载eyJ0eXAiOiJKV1Qi ...
The header is included in the GET request: Authorization: Bearer eyJ0eXAiOiJKV1Qi...
但我从AMS 401响应。
But I get a 401 response from AMS.
我在做什么错误或丢失?
What am I doing wrong or missing?
更新:
它看起来像我将不得不调用到传递ACCESS_TOKEN获得AMS令牌的Azure AD的AMS终点。而我得到这个答复:
UPDATE: It looks like I would have to call into the AMS end point passing the Azure AD access_token to get a AMS token. And I get this response:
{code:401,错误:错误:认证与'windowsazureactivedirectory不支持}
{"code":401,"error":"Error: Authentication with 'windowsazureactivedirectory' is not supported."}
所以,我想我会的服务直接登录去为指定的 https://msdn.microsoft.com/en-us/library/azure/dn283952.aspx
So, I guess I will have to go with the service directed login as specified https://msdn.microsoft.com/en-us/library/azure/dn283952.aspx
也许有一天这会为JavaScript的后端支持。但是,我做AMS越多,它看起来像我应该去与.NET后端。
Perhaps some day this will be supported for the javascript back end. But, the more I do with AMS the more it looks like I should have gone with a .net backend.
更新05/29
我改变了我的AMS为.NET后端,所以我可以使用客户定向流量。我使用下面的code:
I changed my AMS to a .Net backend so I could use client directed flow. I am using the following code:
client.login('aad', { "access_token": sessionStorage['adal.idtoken'] })
.done(function (results) {
alert("You are now logged in as: " + results.userId);
sessionStorage.X_ZUMO_AUTH = results.mobileServiceAuthenticationToken;
}, function (err) {
alert("Error: " + err);
});
不过,我得到一个401响应。
However, I am getting a 401 response.
更新:根据我在Azure的AD为客户创建了第二个应用程序的另一个SO问题。我已经将它设置为允许访问API的应用程序。我也更新了我的code以下内容:
UPDATE: Based on another SO issue I have created a second app in the Azure AD for the client. I have set it to allow access to the API app. I also updated my code to the following:
adalService.acquireToken('<<AMS App Client ID>>')
.then(function(token) {
$http({
method: 'POST',
url: constants.apiBaseUrl + '/login/aad',
data: { "access_token" : token },
headers: {
'X-ZUMO-APPLICATION': constants.appKey
}
}).
success(function (data, status, headers, config) {
alert(data);
}).
error(function (data, status, headers, config) {
alert(data);
});
});
}
不过,我仍然得到401我还与移动SDK试了一下,仍是401。
But, I still get a 401. I also tried it with the mobile sdk, still a 401.
推荐答案
由于其他的会员谁张贴在如何做到这一点确切的事情在博客...
Due to another SO member who posted a blog on how to do this exact thing...
的http://blogs.if-blueprint.de/svenor/2015/06/19/authenticate-azure-mobile-service-app-adal-js/
...这指出了让我来解决它的链接。
...which pointed to a link that allowed me to solve it.
我的问题是,在客户端应用程序AAD的应用程序ID的网址是不是在对Azure的Active Directory中的验证域。我用的是 https://mysite.azurewebsites.net 。
My problem was that the app id url on the client AAD application was not in a verified domain on the Azure Active Directory. I was using https://mysite.azurewebsites.net.
当我改成了一个网址,这是在域中 https://mydomainname.onmicrosoft.com/myappname 那么它只是像变魔术一样。
When I changed it to a url that was in the domain https://mydomainname.onmicrosoft.com/myappname then it just worked like magic.
这篇关于为什么我的Azure移动服务接受承载令牌ADAL.js发送呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!