我正在使用Azure AD对我的单页应用程序(Angular4)进行身份验证,并使用Adal.js进行身份验证.在登录页面上,我单击一个重定向到Microsoft AAD的按钮,成功登录后,它会重定向回应用程序主页,并从JWT接收id_token和用户信息.
我需要access_token用于后端API访问,我试图通过ADAL AuthenticationContext的getCachedToken()方法获取,并将clientId作为参数发送:
this.context.getCachedToken(this.configService.AdalConfig.clientId)
但是此方法返回与会话存储中存储为id_token(adal.idtoken)的相同令牌.它基本上通过串联密钥在会话存储中创建一个新项目,该密钥与id_token具有相同的值
adal.access_token.key + clientId = id_token
例如:adal.access_token.key239f6fc7-64d2-3t04-8gfd-501efc25adkd =< id-token-value>.
我还试图用AuthenticationContext.acquireToken()方法获取access_token,但它也给了id_token.
我哪里错了?
编辑:发布代码.
我正在调用函数login(),并在成功登录后,尝试通过adal.config.ts中的get accessToken()属性访问器获取主页中的访问令牌.
config.service.ts
import { Injectable } from '@angular/core';
@Injectable()
export class ConfigService {
constructor() {}
public get AdalConfig(): any {
return {
tenant: 'common',clientId:
adal.service.ts
import { ConfigService } from './config.service';
import { Injectable } from '@angular/core';
import { adal } from 'adal-angular';
let createAuthContextFn: adal.AuthenticationContextStatic = AuthenticationContext;
@Injectable()
export class AdalService {
private context: adal.AuthenticationContext;
constructor(private configService: ConfigService) {
this.context = new createAuthContextFn(configService.AdalConfig);
}
login() {
this.context.login();
}
logout() {
this.context.logOut();
}
handleCallback() {
this.context.handleWindowCallback();
}
public get userInfo() {
return this.context.getCachedUser();
}
public get accessToken() {
return this.context.getCachedToken(this.configService.AdalConfig.clientId);
// return this.context.acquireToken(this.configService.AdalConfig.clientId,function(message,token,response) {
// console.log(message,response);
// });
}
public get isAuthenticated() {
return this.userInfo && this.accessToken;
}
}
In this scenario,when the user signs in,the JavaScript front end
uses Active Directory Authentication Library for JavaScript (ADAL.JS)
and the implicit authorization grant to obtain an ID token (id_token)
from Azure AD. The token is cached and the client attaches it to the
request as the bearer token when making calls to its Web API back end,
which is secured using the OWIN middleware.
因此,我需要将id_token本身发送到后端API,后端API又可以进行验证和使用.有关验证的更多信息,请参阅here:
Just receiving an id_token is not sufficient to authenticate the user;
you must validate the id_token’s signature and verify the claims in
the token per your app’s requirements. The v2.0 endpoint uses JSON Web
Tokens (JWTs) and public key cryptography to sign tokens and verify
that they are valid.You can choose to validate the id_token in client
code,but a common practice is to send the id_token to a backend
server and perform the validation there. Once you’ve validated the
signature of the id_token,there are a few claims you will be required
to verify.