0

我正在尝试验证 Angular SPA 用户以使用带有 passport-azure-ad 的节点 API。

使用 msal 的 SPA 似乎可以正常登录并发送不记名令牌。在 API 中,passport 在日志中提供此消息并且不验证令牌。

{"name":"AzureAD: Bearer Strategy","hostname":,"pid":18992,"level":30,"msg":"authentication failed due to: In Strategy.prototype.jwtVerify: 我们没有收到一个我们知道如何验证的令牌","time":"2020-11-16T09:05:39.130Z","v":0} 在护照日志中,我可以看到它已经解码了 JWT。

MS 的文档和教程没有提供解释。

这是问题还是配置?

在 jwt.ms 上,令牌看起来像这样(删除了敏感内容)

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "1LTMzakihiRla_8z2BEJVXeWMqo"
}.{
  "ver": "2.0",
  "iss": "https://login.microsoftonline.com/<removed>/v2.0",
  "sub": "AAAAAAAAAAAAAAAAAAAAAFCJjacUizahSCD5TPfL4H8",
  "aud": "35a82220-37b8-4379-8787-2e9d399a5a11",
  "exp": 1605521138,
  "iat": 1605517238,
  "nbf": 1605517238,
  "name": "<removed>",
  "preferred_username": "<removed>",
  "oid": "00000000-0000-0000-47f4-b9a2c8265a4e",
  "tid": "<removed>",
  "azp": "6a595665-21c0-418c-b53c-11a53261ea1f",
  "scp": "access_as_user",
  "azpacr": "0",
  "aio": "DZrm9qwwNRshPep3OC!5Fye8RReC2f7Xweml1tg1DrjBTMaCJjSf6tZiPIm!Xu0I79vhJZwsyPjKWgp0FR9o0v7s4AWBaO9iLOl0qWJx6mznYOR6nwmpv7LREoQts9Ixe49O*HvvyaCsmcuh1iXcnq8$"
}.[Signature]

该令牌是为作为访客用户添加到 AD 的用户创建的。

配置(已删除租户 ID)

广告

两个已注册的应用程序,SPA 和 API,其身份验证设置为多租户和个人 Microsoft 帐户。向 SPA 授予一个 API 范围,“access_as_user”</p>

角SPA

角 7 @azure/msal-角 1.1.2

MSAL 配置
@NgModule({
  declarations: [
    AppComponent,
    MessageComponent
  ],
  imports: [
    BrowserModule,
    AppRoutingModule,
    HttpClientModule,
    MsalModule.forRoot({
      auth: {
        clientId: '6a595665-21c0-418c-b53c-11a53261ea1f',
        authority: 'https://login.microsoftonline.com/common',
        redirectUri: 'http://localhost:4200',
      },
      cache: {
        cacheLocation: 'localStorage',
        storeAuthStateInCookie: isIE, // set to true for IE 11
      },
    },
    {
      popUp: !isIE,
      unprotectedResources: [],
      consentScopes: [
        "api://35a82220-37b8-4379-8787-2e9d399a5a11/access_as_user"
      ],
      protectedResourceMap: [
        ['http://localhost:3000', ['api://35a82220-37b8-4379-8787-2e9d399a5a11/access_as_user']]
      ],
      extraQueryParameters: {}
    })
    ],
  providers: [HttpClient,
    {
      provide: HTTP_INTERCEPTORS,
      useClass: MsalInterceptor,
      multi: true
    },
    MsalService,
],
  bootstrap: [AppComponent]
})
export class AppModule { }

NodeJs API

护照 0.4.1 护照天蓝色广告 4.3.0

节点配置
const express = require('express')
const app = express()

var passport = require('passport');

var BearerStrategy = require("passport-azure-ad").BearerStrategy;

var options =  {
    identityMetadata:"https://login.microsoftonline.com/<removed>/v2.0/.well-known/openid-configuration",
    clientID:"35a82220-37b8-4379-8787-2e9d399a5a11",
    loggingLevel: "info",
    passReqToCallback: false,
    isB2C:false,
    validateIssuer:false,
    loggingNoPII: false
  };

  var bearerStrategy = new BearerStrategy(options, function(token, done) {
    console.log("verifying token");
    console.log("token");
    done(null, {}, token);
  });

  app.use(passport.initialize());
  passport.use(bearerStrategy);

const port = 3000

app.use(function(req, res, next) {
  console.log(req.headers);
  res.header("Access-Control-Allow-Origin", "*");
  res.header(
    "Access-Control-Allow-Headers",
    "Authorization, Origin, X-Requested-With, Content-Type, Accept"
  );
  next();
});

app.get('/',passport.authenticate("oauth-bearer", { session: false }),(req, res) => {
    res.send('{"msg":"Hello SPA this is the API!"}');
  }
)

app.listen(port, () => {
  console.log(`Example app listening at http://localhost:${port}`)
})'
4

0 回答 0