Authenticate that a user has logged in with MSAL/Azure AD and serve them a token for my separate API?

huangapple go评论89阅读模式
英文:

Authenticate that a user has logged in with MSAL/Azure AD and serve them a token for my separate API?

问题

我有一个用GO编写的API,目前根据用户名和密码提供授权令牌(不使用MSAL)。

我正在尝试使用Microsoft账户实现MSAL登录。我已经设置了我的Angular前端,以便将用户登录到Azure AD应用注册。是否可能验证他们已成功登录到Azure AD,并从我的GO API中提供一个与MSAL无关的令牌给他们?

他们在MSAL中使用的用户名也存在于我的后端,流程可能如下:

用户使用MSAL登录 -> 我的前端使用用户名向Golang后端发出请求 -> Golang验证该用户名已使用MSAL登录 -> 后端为该用户提供一个令牌

看起来Golang与MSAL的集成有限,所以不确定这是否可行。

谢谢。

英文:

I have an api written in GO that, at the moment, serves an authorization token based on a username and password. (Without MSAL)

I am trying to implement MSAL logins with Microsoft accounts. I have setup my angular frontend to log a user in to an Azure AD app registration. Would it be possible to authenticate that they have successfully logged in to the Azure AD, and serve them one of my tokens (unrelated to msal) from my GO API?

The username that they use to login with MSAL also exists in my backend, the flow would be something like this;

User logs in with MSAL -> my frontend makes a request to golang backend with username -> golang verifies that this username has logged in with MSAL -> backend serves a token for this user

It appears golang integration with MSAL is limited, so not sure how possible this is.

Thanks.

答案1

得分: 3

你可以在前端从Azure AD获取API的访问令牌。为此,你可以在Azure AD中注册API,或者使用相同的应用程序注册。无论哪种方式,你都应该在注册的“Expose an API”页面中添加一个范围。然后,你的前端可以使用该范围的ID来获取所需的令牌。

然后,你的API可以有一个端点来验证访问令牌,并发放本地令牌。访问令牌将包含用户的用户名,例如,如果你想进行映射的话。更可靠的方式是映射到用户的对象ID(也在令牌中),因为它是不可变的,而用户电子邮件是可变的。

对于令牌验证,你应该能够使用通用的JWT验证库。还要记得检查你在令牌中定义的范围,以正确授权请求。

英文:

What you can do is acquire an access token for your API in the front-end from Azure AD. For this you will either register the API in Azure AD or use the same app registration. Either way, you should add a scope in the Expose an API page in the registration. Your front-end can then use that scope's id to get the needed token.

Your API can then have an endpoint that validates the access token, and issues the local token. The access token will contain the user's username for example, if you want to map to that. A more robust way would be to map to the user's object id (also in the token) since it is immutable, unlike the user email.

For token validation, you should be able to use a generic JWT validation library. Also remember to check for that scope in the token that you defined to properly authorize the request.

huangapple
  • 本文由 发表于 2021年7月16日 17:35:46
  • 转载请务必保留本文链接:https://go.coder-hub.com/68406797.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定