我正在使用 ADAL(第 3 方 OAuth2.0 实现)。我正在尝试使用 Charles 作为代理来收集通信痕迹。我想象正在发生的事情(不依赖任何东西):
但是,ADAL 拒绝授权机构的证书。现在据我所知,证书是在未加密的情况下传递的。因此,如果我在描述上述所有步骤时是正确的,ADAL 怎么知道他正在与之交谈的实体实际上不是他应该与之交谈的权威?
ADAL doesn't really look at the authority's certificate - it checks that the channel used to connect to it is trusted. The presence of a proxy can disrupt the SSL channel trust. If I want to connect via SSL to www.domain.com, I expect the certificate used to establish the channel to be in my trusted authorities, to have a subject that contains www.domain.com, to be still within its validity period, and so on. I am not familiar with Charles, but I guess it might look like a DNS redirect attack from ADAL's viewpoint. You can turn off authority validation in the constructor of AuthenticationContext if you need to do a quick test, but I would strongly recommend against doing that in production code.
HTH V.