我正在尝试验证 Angular SPA 用户以使用带有 passport-azure-ad 的节点 API。
使用 msal 的 SPA 似乎可以正常登录并发送不记名令牌。在 API 中,passport 在日志中提供此消息并且不验证令牌。
{"name":"AzureAD: Bearer Strategy","hostname":,"pid":18992,"level":30,"msg":"authentication failed due to: In Strategy.prototype.jwtVerify: 我们没有收到一个我们知道如何验证的令牌","time":"2020-11-16T09:05:39.130Z","v":0} 在护照日志中,我可以看到它已经解码了 JWT。
MS 的文档和教程没有提供解释。
这是问题还是配置?
在 jwt.ms 上,令牌看起来像这样(删除了敏感内容)
{
"typ": "JWT",
"alg": "RS256",
"kid": "1LTMzakihiRla_8z2BEJVXeWMqo"
}.{
"ver": "2.0",
"iss": "https://login.microsoftonline.com/<removed>/v2.0",
"sub": "AAAAAAAAAAAAAAAAAAAAAFCJjacUizahSCD5TPfL4H8",
"aud": "35a82220-37b8-4379-8787-2e9d399a5a11",
"exp": 1605521138,
"iat": 1605517238,
"nbf": 1605517238,
"name": "<removed>",
"preferred_username": "<removed>",
"oid": "00000000-0000-0000-47f4-b9a2c8265a4e",
"tid": "<removed>",
"azp": "6a595665-21c0-418c-b53c-11a53261ea1f",
"scp": "access_as_user",
"azpacr": "0",
"aio": "DZrm9qwwNRshPep3OC!5Fye8RReC2f7Xweml1tg1DrjBTMaCJjSf6tZiPIm!Xu0I79vhJZwsyPjKWgp0FR9o0v7s4AWBaO9iLOl0qWJx6mznYOR6nwmpv7LREoQts9Ixe49O*HvvyaCsmcuh1iXcnq8$"
}.[Signature]
该令牌是为作为访客用户添加到 AD 的用户创建的。
配置(已删除租户 ID)
广告
两个已注册的应用程序,SPA 和 API,其身份验证设置为多租户和个人 Microsoft 帐户。向 SPA 授予一个 API 范围,“access_as_user”</p>
角SPA
角 7 @azure/msal-角 1.1.2
MSAL 配置@NgModule({
declarations: [
AppComponent,
MessageComponent
],
imports: [
BrowserModule,
AppRoutingModule,
HttpClientModule,
MsalModule.forRoot({
auth: {
clientId: '6a595665-21c0-418c-b53c-11a53261ea1f',
authority: 'https://login.microsoftonline.com/common',
redirectUri: 'http://localhost:4200',
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: isIE, // set to true for IE 11
},
},
{
popUp: !isIE,
unprotectedResources: [],
consentScopes: [
"api://35a82220-37b8-4379-8787-2e9d399a5a11/access_as_user"
],
protectedResourceMap: [
['http://localhost:3000', ['api://35a82220-37b8-4379-8787-2e9d399a5a11/access_as_user']]
],
extraQueryParameters: {}
})
],
providers: [HttpClient,
{
provide: HTTP_INTERCEPTORS,
useClass: MsalInterceptor,
multi: true
},
MsalService,
],
bootstrap: [AppComponent]
})
export class AppModule { }
NodeJs API
护照 0.4.1 护照天蓝色广告 4.3.0
节点配置const express = require('express')
const app = express()
var passport = require('passport');
var BearerStrategy = require("passport-azure-ad").BearerStrategy;
var options = {
identityMetadata:"https://login.microsoftonline.com/<removed>/v2.0/.well-known/openid-configuration",
clientID:"35a82220-37b8-4379-8787-2e9d399a5a11",
loggingLevel: "info",
passReqToCallback: false,
isB2C:false,
validateIssuer:false,
loggingNoPII: false
};
var bearerStrategy = new BearerStrategy(options, function(token, done) {
console.log("verifying token");
console.log("token");
done(null, {}, token);
});
app.use(passport.initialize());
passport.use(bearerStrategy);
const port = 3000
app.use(function(req, res, next) {
console.log(req.headers);
res.header("Access-Control-Allow-Origin", "*");
res.header(
"Access-Control-Allow-Headers",
"Authorization, Origin, X-Requested-With, Content-Type, Accept"
);
next();
});
app.get('/',passport.authenticate("oauth-bearer", { session: false }),(req, res) => {
res.send('{"msg":"Hello SPA this is the API!"}');
}
)
app.listen(port, () => {
console.log(`Example app listening at http://localhost:${port}`)
})'