我試圖修改參考here和here的樣本B2C代碼,以針對我們的組織AAD。API不會針對AAD進行身份驗證,而令牌使用MSAL傳遞給令牌
我有一個SPA應用程序,它通過MSAL成功地通過AAD進行身份驗證並接收到令牌。 SPA應用程序可以使用令牌從MS Graph API中提取數據 - 所以我確定該令牌是有效的。
SPA當前正在本地運行@ localhost:9000。
我有第二個應用程序是運行@ localhost:3000的Nodejs API。 SPA應用程序調用API傳遞用於GraphAPI的相同標記。 API應用程序應該使用該令牌來驗證用戶並提供對API的訪問;然而,我只能回到401 - 未經授權。
(我使用Aurelia作爲客戶端代碼,HTTP請求使用Aurelia的HTTP客戶端)。
這裏是用來調用API的SPA代碼:
//Not entirely sure what to use as the scope here!! API is registered to allow user.read Graph API scope.
this.config.msClient.acquireTokenSilent(["user.read"]).then(token => {
console.log("Token acquired silently.");
this.makeAPICall(token);
}, error => { ... }
);
makeAPICall(token) {
this.http.configure(config => {
config
.withBaseUrl('http://localhost:3000/')
.withDefaults({
headers: {
'Authorization': 'Bearer ' + token
}
}
this.http.fetch("user/0")
.then(response => {
debugger; //response is 401 Unauthenticated at this point
}, error => { ... });
}
我已經註冊的apps.dev.microsoft.com應用程序爲我的API。這裏是我的服務器端(API)代碼的NodeJS:
const express = require("express")
const port = 3000
const passport = require("passport")
var BearerStrategy = require("passport-azure-ad").BearerStrategy;
var userList = [
{id: 1, first: "Mickey", last: "Mouse", age: 95},
{id: 2, first: "Donald", last: "Duck", age: 85},
{id: 3, first: "Pluto", last: "leDog", age: 70}
]
var options = {
identityMetadata: "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
clientID: "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx", //My registered App Id
passReqToCallback: false,
validateIssuer: true,
issuer: "xxxxxxx" //Our tenant name
};
var strategy = new BearerStrategy(options, (token, done) => {
console.log(token);
done(null,{}, {scope: '*'});
})
const app = express()
app.use(passport.initialize())
passport.use(strategy);
//Allow CORS
app.use((req, res, next) => {
res.header("Access-Control-Allow-Origin","*");
res.header("Access-Control-Allow-Headers","Authorization, Origin, X-Requested-With, Content-Type,Accept");
next();
})
app.get("/",(request, response) => { //Unauthenticated -- always works
response.send("Hello World!")
})
app.get("/user/:id",passport.authenticate('oauth-bearer',{session: false }),
(request, response) => {
//Never seem to get here (when debugging) as authenticate always fails
let id = request.params["id"];
let user = userList[id];
if(user) response.json(user);
else response.send("No user found")
})
app.listen(port,() => {
console.log("Listening on port " + port)
})
我敢肯定,我只是誤解這一切是如何工作,但希望得到一些指導,我需要改變,以得到這個工作。
因此,如果我理解正確,MSAL僅爲Graph API提供訪問令牌? – RHarris
截至今天,情況就是如此。 v2終結點爲Microsoft Graph和id_tokens登錄應用程序簽發訪問令牌。 – vibronet
非常感謝您的解釋。這有很大幫助。 – RHarris