0

我正在构建一个带有快速后端的节点应用程序。其中一项要求是使用 Azure AD 进行身份验证。我已经安装了passport-azure-ad模块并将其设置如下:

import * as passportAD from "passport-azure-ad";
// ... <snip> ....
const tenantName = "<MY_TENANT_NAME>"";
const clientID = "<MY_CLIENT_ID>";

app.use(passport.initialize());
app.use(passport.session());
const bearerStrategy = new passportAD.BearerStrategy(
  {
    identityMetadata: `https://login.microsoftonline.com/${tenantName}.onmicrosoft.com/.well-known/openid-configuration`,
    clientID
  },
  (token: any, done: any) => {
    console.log(token);
    return done(null, {}, token);
  }
);
passport.use(bearerStrategy);

然后我为这样的路线添加了授权:

const myHandler = () => (req, res) => return res.json({});
app.get('/my/route',
        passport.authenticate("oauth-bearer", { session: false }),
        myHandler()
);

这将按预期返回 401 状态,但是,我无法找到有关如何从 Azure AD 向客户端颁发令牌的文档。我想在正文中使用用户名和密码接受登录端点的 POST 并返回 Azure AD 令牌。这可能吗?

4

3 回答 3

6

您还可以执行以下操作。我最近用我的 react 应用程序和 nodejs 后端实现了一个

您可以在https://github.com/AzureADQuickStarts/AppModelv2-WebAPI-nodejs/blob/master/node-server/config.js找到BearerStrategyOptions的键值

允许仅供参考我使用了以下公共端点' https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration作为identityMetadata

const BearerStrategyOptions = {
  identityMetadata,
  clientID,
  validateIssuer,
  issuer,
  passReqToCallback,
  allowMultiAudiencesInToken,
  audience
};

您可以在https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-nodejs/blob/master/config.js找到OIDCStrategyOptions的键值

const OIDCStrategyOptions = {
  identityMetadata,
  clientID,
  responseType,
  responseMode,
  redirectUrl,
  allowHttpForRedirectUrl,
  clientSecret,
  validateIssuer,
  isB2C,
  issuer,
  passReqToCallback,
  scope,
  nonceLifetime,
  nonceMaxAmount,
  useCookieInsteadOfSession,
  cookieEncryptionKeys,
  clockSkew
};

对于身份验证:

 passport.use(
    new OIDCStrategy(OIDCStrategyOptions, function(
      iss,
      sub,
      profile,
      accessToken,
      refreshToken,
      done
    ) {
      if (!profile.oid) {
        return done(new Error("No oid found"), null);
      }
      // asynchronous verification, for effect...
      process.nextTick(function() {
        findByOid(profile.oid, function(err, user) {
          if (err) {
            return done(err);
          }
          if (!user) {
            // "Auto-registration"
            users.push(profile);
            // console.log("---------profile----------", profile)
            return done(null, profile);
          }
          // console.log("-----------user---------", user)
          return done(null, user);
        });
      });
    })
  );

授权:

passport.use(
    new BearerStrategy(BearerStrategyOptions, function(token, done) {
      console.log("verifying the user");
      console.log(token, "was the token retreived");
      findByOid(token.oid, function(err, user) {
        if (err) {
          return done(err);
        }
        if (!user) {
          // "Auto-registration"
          console.log(
            "User was added automatically as they were new. Their oid is: ",
            token.oid
          );
          users.push(token);
          owner = token.oid;
          return done(null, token);
        }
        owner = token.oid;
        return done(null, user, token);
      });
    })
  );

并在您的 api 中使用以下代码来授权路由

 passport.authenticate('oauth-bearer', {session: false})

完毕!希望这对希望使用的人有所帮助:)passport-azure-ad

于 2019-11-08T07:06:45.400 回答
0

Azure AD 令牌的唯一颁发者是 Azure AD。您不应该您的客户中收集用户名/密码,也不应该在您的服务中接受它们。

您的客户端应用程序只需要使用 MSAL(或 ADAL,或任何 OpenID Connect 客户端库)将用户发送到 Azure AD,让他们登录,并作为响应获取您的 API 的访问令牌。

例如,如果您的客户端是 JavaScript 单页应用程序,则使用MSAL for JavaScript您可以执行以下操作:

var userAgentApplication = new Msal.UserAgentApplication(
    '0813e1d1-ad72-46a9-8665-399bba48c201', // AppId of you client app
    null, function (errorDes, token, error, tokenType, instance) {
        // This callback only used loginRedirect OR acquireTokenRedirect.
    }
);

var scopes = ["https://api.example.com/permission.scope"];
userAgentApplication.loginPopup(scopes).then(function (token) {

    // Get the signed-in user
    var user = userAgentApplication.getUser();

    // Get an access token for the signed-in user
    userAgentApplication.acquireTokenSilent(scopes).then(function (token) {

        // Use the access token to call your API
        $.ajax({
            url: 'https://api.example.com/foo',
            type: 'GET',
            dataType: 'json',
            headers: { 'Authorization': 'Bearer ' + token },
            contentType: 'application/json; charset=utf-8',
            success: function (result) {
                // TODO: Do something cool with the API response.
            },
            error: function (error) {
                // TODO: Do something smart if there's an error
            }
        });
    }, function (error) {
        // TODO: Silent token acquisition failed, retry with acquireTokenPopup()
    });
}, function (error) {
    // TODO: Deal with error.
});

(当然,您可以为各种其他平台执行此操作。)

于 2018-10-12T11:04:08.070 回答
-2

模块,关于天蓝色广告如何passport-azure-ad发布令牌,您可以参考doc1doc2

我想接受一个 POST 到登录端点,并在正文中包含用户名和密码,并返回一个 Azure AD 令牌。这可能吗?

对的,这是可能的。如果你想这样做,你可以参考这里

于 2018-10-12T07:36:37.193 回答