[英]Shibboleth authentication for an Angular single page application (SPA)
Is it possible to use Shibboleth within an Angular4 SPA? 是否可以在Angular4 SPA中使用Shibboleth? If yes, how? 如果有,怎么样?
My scenario is the following: I have a SPA that can be accessed globally without login. 我的方案如下:我有一个SPA,无需登录即可全局访问。 Certain pages should only be accessed after login with Shibboleth. 只有在使用Shibboleth登录后才能访问某些页面。 Therefore I'd like to authenticate the user via Shibboleth and generate a JWT for the user, which is used to authenticate against the APIs which are delivering the content for the protected page. 因此,我想通过Shibboleth对用户进行身份验证,并为用户生成JWT,用于对提供受保护页面内容的API进行身份验证。
The problem, I am facing is, that the user has to navigate to the shibboleth-login-page on the service-provider and therefore leave the SPA to login. 我面临的问题是,用户必须导航到服务提供商的shibboleth-login-page,因此请保持SPA登录。 So I can create a JWT on a shibboleth-protected site like /shibprotected/getJWT
, and redirect the user there. 所以我可以在受shibboleth保护的网站上创建一个JWT,如/shibprotected/getJWT
,并将用户重定向到那里。 But how do I get the token back in my Angular-application? 但是如何在我的Angular应用程序中获取令牌? And how can I redirect the user back to the application then? 那么如何将用户重定向回应用程序呢?
May I use cookies for this task? 我可以使用cookies来完成这项任务吗?
finnaly I managed the task with the following setup: finnaly我通过以下设置管理任务:
in an auth-service I generate the login-URL, which can be referenced via <a href="authService.getLoginUrl('/currentpage')">Login</a>
: 在身份验证服务中,我生成login-URL,可以通过<a href="authService.getLoginUrl('/currentpage')">Login</a>
引用:
getLoginUrl(returnUrl = '') { if (returnUrl === '' || returnUrl.startsWith('/')) { returnUrl = window.location.origin + returnUrl; } return environment.backend_server_url + '/shibprotected/getJWT?return_url=' + encodeURIComponent(returnUrl); }
In /shibprotected/getJWT
(which is a page protected via shibboleth on the same server) I generate the JWT and set it to a cookie. 在/shibprotected/getJWT
(这是在同一台服务器上通过shibboleth保护的页面)我生成JWT并将其设置为cookie。 then I redirect to return_url: 然后我重定向到return_url:
setcookie("token", $token); header("Location: " . $return_url);
back in the angular-app I'm checking for the token in document.cookie
回到angular-app我正在检查document.cookie
的令牌
This approach has two disadvantages which are maybe unavoidable when using shibboleth with a SPA: 这种方法有两个缺点,在使用带有SPA的shibboleth时可能是不可避免的:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.