我想了解如何配置 MSAL 和相关工件以方便进行以下配置。
- 前端 Angular 7+ 网站/应用程序发布到 Azure 存储帐户并用作静态网站。
- 用于在 Cosmos-DB 数据库上执行 CRUD 操作的后端 Azure Functions API 项目
- Angular 网站前端和 Azure Functions API 后端都应仅限于我们 Azure Active Directory 中的个人。
我试图通过研究这个演示项目来学习如何为我的预期用例配置 MSAL:https ://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/自述文件.md。不幸的是,该项目引用了一个不再运行的 API 后端站点。并且后端位不包含在存储库中。
演示项目msal-microsoft-authentication-library-for-js\lib\msal-angular\samples\MSALAngularDemoApp不像发布的那样工作。登录尝试失败。一旦遇到Uncaught (in promise): AADSTS650052: The app needs access to a service (\"api://a88bb933-319c-41b5-9f04-eff36d985612\") that your organization \"<MY-ORG>\" has not subscribed to or enabled.
使用我当前的配置,在浏览器中,当 MSAL 尝试发出以下形式的请求时,我遇到了请求取消:
所以我显然做错了至少一件事。以下是我的配置摘要。但是,与其尝试调试我的配置,不如描述建立工作配置所需的所有步骤可能更容易(更有效)。
Azure Function App
Platform features
Authentication / Authorization
App Service Authentication: On
Action to take when request is not authenticated
Log in with Azure Active Directory
Authentication Providers
Azure Active Directory Configured (Express: Existing App)
Advanced Settings Token Store
ALLOWED EXTERNAL REDIRECT URLS
Link to static website of storage container where Angular site is deployed
E.g., https://<storagecontainer>.z5.web.core.windows.net/
CORS
ALLOWED ORIGINS
https://<storagecontainer>.z5.web.core.windows.net/
http://localhost:4200
Function Signatures
`public static async Task<IActionResult> Function1([HttpTrigger(AuthorizationLevel.Function, "get", "post", "options", Route = null)] HttpRequest httpRequest, ILogger log) {`