2023年5月29日 21:37:25go评论53阅读模式

英文:

Angular MSAL - doubts about Bearer token and AUD property

问题

I'm trying to set up the MSAL library to log in to Azure AD. Using the redirect flow in APP_INIT, I can log in and obtain the token. This is the configuration I use:

export function MSALInstanceFactory(): IPublicClientApplication {
  return new PublicClientApplication({
    auth: {
      clientId: '4015ef49-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
      authority: 'https://login.microsoftonline.com/2716828a-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
      protocolMode: ProtocolMode.OIDC,
      redirectUri: '/',
      postLogoutRedirectUri: '/'
    },
    cache: {
      cacheLocation: BrowserCacheLocation.LocalStorage,
      storeAuthStateInCookie: false
    },
    system: {
      // ... just logging
    }
  });
}

export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
  const protectedResourceMap = new Map<string, Array<string>>();
  protectedResourceMap.set('/', ['api://15c38238-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api.test']);

  return {
    interactionType: InteractionType.Redirect,
    protectedResourceMap
  };
}

Everything works fine. When the user navigates to the page, they are immediately redirected to the Azure Login screen, authenticated, navigated back, and a BEARER token can be seen attached to the user/getInfo endpoint:

RAQABAAIAAAD--DLA3WO7QrddgJg7WeWrjQWKU1S2_FUBT2YAGgf8warZb_WeNfmM_d77BrbdQ8YxZ1rRq6xlREbnz1C5GRF1MikYUBKMs4wCUFbKju3AniERix1K1ZISi3RNgQjyS4rILQ8JhYfYL5adMWzfr1UjKheKZkdG8aZRHfRxi7DZua3WLYW5sAdBRWYttjQXWIJeFmRZbLDHUhhdYSRSxHGRli4tXQkcJtRtJOcWRY3EmQOAARRqcLJr8R3-EgRsmM3HNdGwbfBqRsjnNE6uass_t3YIzMib_CsfZAHGWnReutIl-x83a_wjWAWff8o3NlA65LXwaCI08n-Yeo8ji8-1fnS0iw1zEUh-nLsfdDCRWs0aF-zkuyoZSq52r28u2ujRz4HddWScQsZJJ6sUJCWScWGgLwXKGagEcyCHcIjZ-0-c5yIzyqRlcWRry5ZaqCTndU3GDhRmqDki5F1qQkY1HExqHKWxJDRH87YZ4brXrIdqLt1d8R2ufrqbWRQHMQHNqMCU8hNbS80mfEsnClf4OLNIQqW0A3LKyKIecuUnK5YCxtIhb8R8hUW4-M17hnG-5GmfRZOGODhbTqsYos1cIAA

However, this token appears to be an opaque string, and I cannot determine its contents. When I check the ID token, I see that the AUD property contains the value of the clientId provided in the configuration:

aud: '4015ef49-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

Then, when I check Local Storage, I can find a key that contains the provided WEB API resource:

target: "api://15c38238-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api.test"

The backend team tells me that the BEARER token is incorrect and should be a standard JWT that we can parse. I'm unsure if this is correct. We both have doubts about the AUD; shouldn't it be equal to the WEB API clientId like this:

aud: '15c38238-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

At the moment, our REST API throws a 401 error, and I can't determine if it's due to misconfiguration on the frontend side or a backend problem. Is my configuration correct?

英文:

I'm trying to set up MSAL library to login in to the Azure AD. Using the redirect flow in the APP_INIT, I'm able to login and obtain the token. This is the config I use:

export function MSALInstanceFactory(): IPublicClientApplication {
  return new PublicClientApplication({
    auth: {
      clientId: &#39;4015ef49-xxxx-xxxx-xxxx-xxxxxxxxxxxx&#39;,
      authority: &#39;https://login.microsoftonline.com/2716828a-xxxx-xxxx-xxxx-xxxxxxxxxxxx&#39;,
      protocolMode: ProtocolMode.OIDC,
      redirectUri: &#39;/&#39;,
      postLogoutRedirectUri: &#39;/&#39;
    },
    cache: {
      cacheLocation: BrowserCacheLocation.LocalStorage,
      storeAuthStateInCookie: false
    },
    system: {
      // ... just logging
    }
  });
}

export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
  const protectedResourceMap = new Map&lt;string, Array&lt;string&gt;&gt;();
  protectedResourceMap.set(&#39;/&#39;, [&#39;api://15c38238-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api.test&#39;]);

  return {
    interactionType: InteractionType.Redirect,
    protectedResourceMap
  };
}

Everything works fine, when user navigates to the page, they are immediately redirected to Azure Login screen, authenticated, navigated back and BEARER token can be seen attached to user/getInfo endpoint.

RAQABAAIAAAD--DLA3WO7QrddgJg7WeWrjQWKU1S2_FUBT2YAGgf8warZb_WeNfmM_d77BrbdQ8YxZ1rRq6xlREbnz1C5GRF1MikYUBKMs4wCUFbKju3AniERix1K1ZISi3RNgQjyS4rILQ8JhYfYL5adMWzfr1UjKheKZkdG8aZRHfRxi7DZua3WLYW5sAdBRWYttjQXWIJeFmRZbLDHUhhdYSRSxHGRli4tXQkcJtRtJOcWRY3EmQOAARRqcLJr8R3-EgRsmM3HNdGwbfBqRsjnNE6uass_t3YIzMib_CsfZAHGWnReutIl-x83a_wjWAWff8o3NlA65LXwaCI08n-Yeo8ji8-1fnS0iw1zEUh-nLsfdDCRWs0aF-zkuyoZSq52r28u2ujRz4HddWScQsZJJ6sUJCWScWGgLwXKGagEcyCHcIjZ-0-c5yIzyqRlcWRry5ZaqCTndU3GDhRmqDki5F1qQkY1HExqHKWxJDRH87YZ4brXrIdqLt1d8R2ufrqbWRQHMQHNqMCU8hNbS80mfEsnClf4OLNIQqW0A3LKyKIecuUnK5YCxtIhb8R8hUW4-M17hnG-5GmfRZOGODhbTqsYos1cIAA

But, as you can see, it's an opaque string and I can't tell what it contains. When I check the ID token I see that the AUD property has the value of a clientId provided in the config:

aud: &#39;4015ef49-xxxx-xxxx-xxxx-xxxxxxxxxxxx&#39;

Then when I check the Local Storage, I can find a key which contains provided WEB API resource:

target: &quot;api://15c38238-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api.test&quot;

BE guy tells me, that the BEARER is incorrect and it should be standard JWT which we can parse. I have no idea if it is correct or not.
Then we both have doubts about AUD, shouldn't it be equal to the WEB API clientId? Like this?

aud: &#39;15c38238-xxxx-xxxx-xxxx-xxxxxxxxxxxx&#39;

At the moment, our Rest API throws 401 and I can't tell if it's because of some misconfiguration on the FE side, or if it's a BE problem? Is my config correct?

答案1

得分: 0

我们找到了问题，发现前端和后端都有问题。至于 Angular 代码，我做了两个更改。

移除了 OIDC 协议。我以为在使用 OAuth 方法时是必需的，但事实并非如此。

export function MSALInstanceFactory(): IPublicClientApplication {
  return new PublicClientApplication({
    auth: {
      clientId: '4015ef49-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
      authority: 'https://login.microsoftonline.com/2716828a-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
      //protocolMode: ProtocolMode.OIDC, // 移除后，访问令牌以标准 JWT 格式到达
      redirectUri: '/',
      postLogoutRedirectUri: '/'
    },
    // ...
  });
}

直接在登录重定向调用中添加了作用域。

const request: RedirectRequest = {
  scopes: ['api://15c38238-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api.test']
  // 在重定向调用中添加所需的第三方 Web API 作用域
  // 也适用于弹出式登录。
};

return msal.loginRedirect(request).pipe(map(() => true));

问题已解决。

英文:

So we figured it out, finding issues on both FE and BE side. As for the Angular code, there are two things I changed.

Removed OIDC protocol. I thought it's a must when using OAuth approach, but it isn't as it turns out.

export function MSALInstanceFactory(): IPublicClientApplication {
  return new PublicClientApplication({
    auth: {
      clientId: &#39;4015ef49-xxxx-xxxx-xxxx-xxxxxxxxxxxx&#39;,
      authority: &#39;https://login.microsoftonline.com/2716828a-xxxx-xxxx-xxxx-xxxxxxxxxxxx&#39;,
      //protocolMode: ProtocolMode.OIDC, // After removing, Acces token arrives in standard JWT format
      redirectUri: &#39;/&#39;,
      postLogoutRedirectUri: &#39;/&#39;
    },
    // ...
  });
}

Added scopes directly to the login redirect call.

const request: RedirectRequest = {
  scopes: [api://15c38238-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api.test]
  // Add required 3rd party Web API scope to the redirect call
  // Works with popup login too.
};

return msal.loginRedirect(request).pipe(map(() =&gt; true));

That solved it.

通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库，让每个人都能够通过互相帮助和分享经验来进步。

Angular MSAL – 对于Bearer令牌和AUD属性的疑问

问题

答案1

Angular 发送 POST 请求时出现 [object%20Object] 错误。

undefined when accessing an object in NestJS

无法生成 Angular 中的 karma.conf。

离线认证

What's the correct way to type hint an empty list as a literal in python?

如何在Highcharts Gantt中更改本地化的星期名称

如何在同一个流中使用多个过滤器和映射函数？

如何使用Map/Set来将代码优化到O(n)？

.NET MAUI Android在GitHub Actions上构建失败，错误代码为1。

如何在Playwright视觉比较中屏蔽多个定位器？

在C++中，可以使用可变模板参数来检索类型的内部类型。

selenium.common.exceptions.StaleElementReferenceException: Message: stale element reference: stale element not found

Creating and opening a URL to log in to Website via Basic Auth with Robot Framework/Selenium (Python)

AG Grid 在上下文菜单中以大文本形式打开

发表评论