Passport-azure-ad,它会解析和验证令牌吗?
[英]passport-azure-ad, does it parse & validate token?
问题描述
My MEAN stack application is using Azure AD for authentication. 
我的MEAN堆栈应用程序使用Azure AD进行身份验证。 I am using “passport-azure-ad” module for web api authentication. 我正在使用“ passport-azure-ad”模块进行Web api身份验证。 Based on post & reply here I understood that 根据此处的回复和回复,我了解到
If user is already authenticated by client (UI) then for every API call, client will also send token to the server.
Now in my scenario I just wanted to make sure user is authenticated, and if he is then allow him to access API. 现在,在我的场景中,我只想确保用户已通过身份验证,然后允许他访问API。
Question 题
1. When server executes the method "passport.authenticate('oauth-bearer')" , will passport-azure-ad automatically parse & validates the token that is received from client or do I need to any additional steps? 1.当服务器执行方法“ passport.authenticate('oauth-bearer')”时 , passport-azure-ad是否会自动解析并验证从客户端收到的令牌,还是我需要执行任何其他步骤?
2. What happens when its not able to validate token or if token is bad or spoofed? 2.如果无法验证令牌,或者令牌不良或被欺骗,会发生什么?
Here is my complete code 这是我完整的代码
AzureAuthenticationService.js AzureAuthenticationService.js
"use strict";
var passport = require('passport');
var OIDCBearerStrategy = require('passport-azure-ad').BearerStrategy;
var options = {
identityMetadata: 'https://login.microsoftonline.com/tenantid/.well-known/openid-configuration',
validateIssuer: true,
passReqToCallback: false,
loggingLevel: 'error'
};
function configure(app) {
app.use(passport.initialize());
app.use(passport.session());
passport.use(new OIDCBearerStrategy(options,
function(token, done) {
//is there anything else i need to do here?
return done(null, token.unique_name, token);
}));
passport.serializeUser(function (user, done) {
done(null, user);
});
passport.deserializeUser(function (id, done) {
done(null, id);
});
}
function authenticate(req, res, next) {
//is there anything else i need to do here?
passport.authenticate('oauth-bearer')(req, res, next);
}
server.js server.js
'UserService' below is i used to get users from the database and i want to protect that API call 下面的“ UserService”是我用来从数据库中获取用户的,并且我想保护该API调用
"use strict";
var authentication = require('./AzureAuthenticationService');
var userService = require('./UserService');
// Initialize server
var express = require('express');
var app = exports.app = express();
authentication.configure(app);
// Set routes
app.get('/api/users',authentication.authenticate,userService.getUsers);
1 个解决方案
解决方案1
2 已采纳 2016-04-25 21:04:28
I'm the maintainer for passport-azure-ad . 我是passport-azure-ad的维护者。 To answer your question, yes it will validate the token for you. 要回答您的问题,是的,它将为您验证令牌。 It does this using the call to the jwtVerify in the code. 它使用对代码中jwtVerify的调用来完成此操作。 Y ou can see where this starts here . 您可以看到从这里开始 。 It will decrypt the token using the keys that are found at the metadata endpoint which is in your configuration. 它将使用在您的配置中的元数据端点处找到的密钥来解密令牌。
If the validation is unsuccessful you will get an error from the code as you'll see above and referenced here: 如果验证不成功,您将在代码中看到一个错误,如您在上面看到的和此处所引用的:
jwt.verify(token, PEMkey, options, function(err, token) { if (err) { if (err instanceof jwt.TokenExpiredError) { log.warn("Access token expired"); done(null, false, 'The access token expired'); } else if (err instanceof jwt.JsonWebTokenError) { log.warn("An error was received validating the token", err.message); done(null, false, util.format('Invalid token (%s)', err.message)); } else { done(err, false); }
Let me know if this helps and if so mark answered. 让我知道这是否有帮助,如果有,请标记为回答。 Thanks! 谢谢!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.