英文:
Strategy to integrate Azure in REST-server and Angular-frontend
问题
我有一个Spring-Boot应用程序。它集成了一个非常简单的Thymeleaf网页。用于用户身份验证的是O365 Azure。
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-starter-active-directory</artifactId>
</dependency>
我已经在Azure中注册了该应用程序,一切正常。我的application.properties文件中包含租户ID、客户端ID和客户端秘钥。
azure.activedirectory.tenant-id = xxxxxx
azure.activedirectory.client-id = xxxxxx
azure.activedirectory.client-secret = xxxxxx
关于Azure的其他信息有限,一切都由以下代码处理:
import org.springframework.security.oauth2.client.*;
和
@SpringBootApplication
@EnableWebSecurity
在网页显示之前,用户会通过Azure进行身份验证。再次强调 - 这一切都运行正常。
现在,我的简单网页的功能需要扩展。我的简单网页应该变成一个Angular应用,我的Spring-Boot应用应该成为其REST服务器。
现在如何处理Azure身份验证?我应该保持现在的方式吗?如何将其集成到我的Angular应用中?我需要在两个应用程序中都处理Azure,还是只在一个应用程序中处理,然后以某种方式集成另一部分?
我看到了Spring-Boot中对Azure的处理,我还找到了Angular的MSAL库。但我不确定它们(Angular应用和Spring-Boot应用)如何一起交互。或者可能不需要互动(关于身份验证),两个应用程序可以分别处理,Azure会确保其余部分(SSO)?
我将感激一些指导,谢谢!
英文:
I have a Spring-Boot app. It has a very simple webpage by Thymeleaf integrated.
For user authentication it uses O365 Azure.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-starter-active-directory</artifactId>
</dependency>
I have the app registered in Azure and all is working well. I have a tenant-id, client-id and a client-secret inside my application.properties.
azure.activedirectory.tenant-id = xxxxxx
azure.activedirectory.client-id = xxxxxx
azure.activedirectory.client-secret = xxxxxx
I do not have much more about Azure. All is done by
import org.springframework.security.oauth2.client.*;
and
@SpringBootApplication
@EnableWebSecurity
as far I can say.
The user is authenticated by Azure before the webpage is presented. Again - all is fine that way.
NOW the functionality of the simple webpage needs to grow.
My simple webpage should become an Angular app and my Spring-Boot app should become the REST-server for it.
How do I handle the Azure authentication now? Should I keep it the way it is? How do I get it into my Angular app?
Do I need to handle Azure in both apps or just in one and integrate the other part somehow?
I see the handling of Azure in Spring-Boot and I also found the MSAL-lib for Angular. But I am not sure how they (the Angular app and my Spring-Boot app) interact together. Or maybe there is no need to interact (regarding authentication) and both apps can handle it separately and Azure will make sure about the rest (SSO)?
I would appreciate a little guidance, thanks!
答案1
得分: 1
一个REST API是一个资源服务器,而不是一个客户端。您将需要更改Spring Boot启动器并相应地调整Web安全配置。
OAuth2请求授权是客户端的责任。这包括将访问令牌设置为授权标头以及处理OAuth2流程以获取此令牌。资源服务器只关心请求是否获得授权,访问令牌是否有效以及是否应根据声明(在JWT或introspected中)授予资源所请求的访问权限。
目前有两种主要模式用于消耗OAuth2资源服务器的"富"浏览器应用程序(如Angular、React、Vue等):
- 将应用程序配置为OAuth2公共客户端(使用OAuth2客户端库)。对于Angular,我使用angular-auth-oidc-client。
- 配置一个后端前端(BFF)(在您的服务器上的中间件),将其配置为OAuth2机密客户端以隐藏浏览器中的令牌(使用BFF上的会话进行安全性保护)。BFF负责登录、注销、令牌刷新,并在将浏览器请求转发到API之前用访问令牌替换会话。如果启用
TokenRelay过滤器,可以使用配置了spring-boot-starter-oauth2-client的spring-cloud-gateway作为BFF。
第二个选项被认为更可取,因为它增加了安全性(使用机密客户端,以便令牌不能传递给假装是客户端的程序,而且令牌对JavaScript是隐藏的)...前提是您正确处理CSRF保护和会话cookie(至少必须是安全的和http-only,最好标有samesite标志)。
我写了一些教程,涵盖了Spring应用程序的各种OAuth2配置方案,包括资源服务器和客户端(包括网关作为BFF)。
英文:
A REST API is a resource-server, not a client. You'll have to change the Spring boot starter and adapt the web security configuration accordingly.
OAuth2 requests authorization is the responsability of the client. This includes setting the Authorization header with an access token as well as handling the OAuth2 flows to get this token. A resource-server just cares if the request is authorized, if the access token is valid and if it should grant the requested access to the resource based on the claims (in a JWT or introspected).
There are currently two main patterns for "rich" browser apps (Angular, React, Vue, etc.) consuming an OAuth2 resource server:
- the app is configured as an OAuth2 public client (using an OAuth2 client lib). For Angular, I use angular-auth-oidc-client.
- a Backend For Frontend (a middleware on your server) is configured as an OAuth2 confidential client to hide tokens from the app in the browser (which is secured with sessions on the BFF). The BFF is in charge of login, logout, token refreshing, and replacing session with access token before forwarding the browser request to the API.
spring-cloud-gatewayconfigured withspring-boot-starter-oauth2-client(like your current app is) can be used as BFF ifTokenRelay=filter is activated.
The second option is considered preferable because of added security (usage of a confidential client so that tokens can't be delivered to program pretending to be the client, and tokens are hidden from Javascript) ... provided that you handle correctly CSRF protection and session cookies (which must be at minimum secure and http-only, and ideally flagged with samesite)
I wrote some tutorials which cover various OAuth2 configuration scenarios for Spring applications, both resource servers and clients (including gateway as BFF).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论