0

我正在使用 microsoft 的 passport-azure-ad 模块来打开 ID 连接。我打算的流程是身份验证代码流,我的 azure 广告配置为身份验证代码流。我的问题是:

1) passport-azure-ad 是否像“代码”一样查看响应类型,然后它会第一次调用获取代码,然后将代码交换为令牌。因为我在实现我的代码时没有拨打两个电话,我直接获得了 access_token

2) 我们如何使用带有 passport-azure-ad 的 PKCE 实施授权代码授予流程?

我的代码如下所示


config.creds.responseType = 'code';
config.creds.responseMode = 'form_post';
config.creds.validateIssuer = true,
config.creds.issuer = null,
config.creds.passReqToCallback = false,
config.creds.useCookieInsteadOfSession = true,
config.creds.scope = 'email profile api://<gateway-url>/.default',

passport.use(new OIDCStrategy({
    identityMetadata: config.creds.identityMetadata,
    clientID: config.creds.clientID,
    responseType: config.creds.responseType,
    responseMode: config.creds.responseMode,
    redirectUrl: config.creds.redirectUrl,
    allowHttpForRedirectUrl: config.creds.allowHttpForRedirectUrl,
    clientSecret: config.creds.clientSecret,
    validateIssuer: config.creds.validateIssuer,
    isB2C: config.creds.isB2C,
    issuer: config.creds.issuer,
    passReqToCallback: config.creds.passReqToCallback,
    scope: config.creds.scope,
    loggingLevel: config.creds.loggingLevel,
    nonceLifetime: config.creds.nonceLifetime,
    nonceMaxAmount: config.creds.nonceMaxAmount,
    useCookieInsteadOfSession: config.creds.useCookieInsteadOfSession,
    cookieEncryptionKeys: config.creds.cookieEncryptionKeys,
    clockSkew: config.creds.clockSkew,
  },
  function(iss, sub, profile, jwtClaims, accessToken, refreshToken, params, done) {
    if (!profile.oid) {
      return done(new Error("No oid found"), null);
    }
    profile.groups = jwtClaims.groups;
    profile.auth_tokens = params;
    console.log("**************Params received after login: ", params);
    //asynchronous verification, for effect...
    process.nextTick(function () {
      findByOid(profile.oid, function(err, user) {
        if (err) {
          return done(err);
        }
        if (!user) {
          // "Auto-registration"
          users.push(profile);
          return done(null, profile);
        }
        return done(null, user);
      });
    });
  }
));



4

1 回答 1

0

我对上述问题 1 的回答是肯定的。我希望有更多的文档,但我发现这对护照-azure-ad 代码非常有用。这是在 oidcstragegy.js

 /*****************************************************************************
       * Step 3. Handle the flows
       *----------------------------------------------------------------------------
       * (1) implicit flow (response_type = 'id_token')
       *     This case we get a 'id_token'
       * (2) hybrid flow (response_type = 'id_token code')
       *     This case we get both 'id_token' and 'code'
       * (3) authorization code flow (response_type = 'code')
       *     This case we get a 'code', we will use it to get 'access_token' and 'id_token'
       * (4) for any other request, we will ask for authorization and initialize
       *     the authorization process
       ****************************************************************************/
于 2020-04-08T15:09:35.913 回答