英文:
Azure AD integrate with frontend React and backend GoLang
问题
我有一个使用GoLang Gin作为后端和ReactJS作为前端的独立结构,并希望集成Azure AD Oauth2登录。
然而,对于GoLang应用程序或React应用程序进行身份验证是可以的,但是当我在前端使用msal-react进行身份验证时,如何将身份验证信息传递给后端呢?
在我的当前后端API中,我使用JWT来保护API,像这样:
v1.Use(jwtauth.JWTAuth())
或者我应该对后端进行身份验证并将信息传递给前端?但是由于它们位于不同的端口,我无法进行重定向(Azure登录)...
谢谢!
英文:
I have a separate structure for backend using GoLang Gin and frontend ReactJS and would like to integrate the Azure AD Oauth2 login.
However, it's ok to authenticate GoLang App or React App, but how to pass the auth info to the backend when I authenticate in frontend using msal-react?
In my current backend API, I use JWT like this to protect APIs:
v1.Use(jwtauth.JWTAuth())
or should I authenticate the backend and pass the info to frontend? but I cannot get it to redirect(Azure login) since they are in different port...
Thanks!
答案1
得分: 0
典型的模式如下:
- 前端(在你的情况下是React应用)使用msal(或其他兼容的库)将用户重定向到登录页面。
- 前端使用在API应用注册中定义的范围来获取后端的访问令牌(或者使用相同的应用注册)。
- 前端将访问令牌附加到后端请求中。
- 后端验证访问令牌(使用来自Azure AD的公钥进行签名验证,检查过期时间、受众、发行者、范围等)。
在.NET中,我们为JWT身份验证配置一个"authority",例如"https://login.microsoftonline.com/
你的库可能也可以配置类似的设置。
通常需要自己检查的范围。
英文:
The typical pattern is:
- Front-end (React app in your case) uses msal (or other compatible library) to redirect the user to login
- Front-end acquires access token for back-end using a scope defined in API app registration (or same app registration)
- Front-end attaches access token to back-end requests
- Back-end validates access token (signature using public keys from Azure AD, expiry time, audience, issuer, scopes etc.)
In .NET we configure an "authority" for JWT authentication, e.g. "https://login.microsoftonline.com/<tenant-id>", and the authentication handler then downloads metadata + public keys from "https://login.microsoftonline.com/<tenant-id>/.well-known/openid-configuration".
It might be possible to configure something like this for your library as well.
Scopes you typically have to check yourself.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论