是否可以将Azure AD身份验证与AWS中托管的基于Java的现有Web应用程序集成?
[英]Possible option to integrate Azure AD authentication with existing Java based web application hosted in aws?
问题描述
We have mobile application backend running in AWS. 
我们有在AWS中运行的移动应用程序后端。 Backend build using Java spring front end supported for native iOS, native Android and angular js based website, it has own authentication using email id and password. 本机iOS,本机Android和基于angular js的网站均支持使用Java spring前端进行后端构建,它具有使用电子邮件ID和密码进行的身份验证。 Now we are planning to integrate our app authentication with our organisation Active directory which available in Azure AD. 现在,我们计划将应用程序身份验证与组织Active Directory集成在一起,该目录可在Azure AD中使用。
We have outline idea about Azure portal application creation, use ADAL library to get token from azure. 我们有关于Azure门户应用程序创建的概论,使用ADAL库从Azure获取令牌。 But we are not clear about how we can validate token at web service side. 但是我们尚不清楚如何在Web服务端验证令牌。 Could you please enlighten us about integration process 您能给我们有关集成过程的启发吗
1 个解决方案
解决方案1
2 2016-10-20 16:34:18
Unfortunately, Azure AD doesn't have great guidance on securing a web API in Java at this time. 不幸的是,Azure AD目前在保护Java Web API方面没有很好的指导。 However, taking the open-source approach isn't terribly difficult in this case. 但是,在这种情况下,采用开源方法并不困难。
Azure AD's access tokens are JWTs, which are essentially just base64 encoded JSON strings with a signature. Azure AD的访问令牌是JWT,它们实质上只是具有签名的base64编码的JSON字符串。 jwt.io has compiled a nice list of open-source libraries that can be used to validate JWTs (some libraries for generating them too, fyi). jwt.io编译了一个不错的开源库列表,可用于验证JWT(有些库也可以生成它们)。 The best reference material available at this time is: 目前可用的最佳参考材料是:
- The claims listed in this token reference article where necessary (ignore the comment about id_tokens only, that's incorrect). 必要时, 此令牌参考文章中列出的声明(仅忽略有关id_tokens的评论,这是不正确的)。
- The OpenID Connect spec also has some good tidbits on how to validate tokens. OpenID Connect规范在如何验证令牌方面也有一些技巧。 You should also make sure to validate the
scopeclaim, which won't be mentioned there.您还应该确保验证scope声明,此处不会提及。 - This code sample shows how to take this approach, but it's in .NET. 此代码示例显示了如何采用这种方法,但是它在.NET中。 You can follow its patterns for Java. 您可以遵循其Java模式。
The hardest part will be robustly fetching, caching, and refreshing the Azure AD public signing keys, making sure your app can handle key rollover. 最困难的部分是可靠地获取,缓存和刷新Azure AD公共签名密钥,以确保您的应用程序可以处理密钥翻转。 Microsoft's .NET open source library , for instance, refreshes the keys every 24 hours and refreshes them immediately any time signature validation fails. 例如, Microsoft的.NET开源库每24小时刷新一次密钥,并在签名验证失败时立即刷新它们。 Most JWT libraries won't do that for you. 大多数JWT库不会为您做到这一点。 The signing keys are available via Azure AD's OpenID Connect metadata endpoint, 可通过Azure AD的OpenID Connect元数据终结点使用签名密钥,
https://login.microsoftonline.com/<tenant-or-common>/.well-known/openid-configuration
The OpenID Connect spec also has information on the format of the data available there. OpenID Connect规范还提供了有关可用数据格式的信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.