是否可以使用 Microsoft 身份验证库从 SPA 进行身份验证但没有重定向 Uri?
[英]Is it possible to authenticate from SPA with Microsoft Authentication Library but without Redirect Uri?
问题描述
I'm creating a Javascript single page application.
我正在创建一个 Javascript 单页应用程序。 It requires a user to sign in during the implicit flow in order to use Microsoft Graph API later on.它要求用户在隐式流程期间登录,以便稍后使用 Microsoft Graph API。 I'm using MSAL.js and trying to adapt snippets from this guide to get auth token from authRedirectCallBack我正在使用 MSAL.js 并尝试改编本指南中的片段以从authRedirectCallBack获取身份验证令牌
I realize that in other flows redirect uri (used after authentication) is essential to get the token and proceed with it.我意识到在其他流程中重定向 uri (在身份验证后使用)对于获取令牌并继续进行是必不可少的。 However in my flow I have token processed in the Javascript callback function.但是,在我的流程中,我在 Javascript 回调函数中处理了令牌。
Is it possible to avoid providing redirect uri in App registration with Azure AD and/or during the code execution?是否可以避免在向 Azure AD 注册应用程序和/或在代码执行期间提供重定向 uri ? I'd like not to bring the user to this redirect uri at all.我根本不想将用户带到此重定向 uri。
At the moment my code looks like this:目前我的代码如下所示:
var msalConfig = {
auth: {
clientId: 'my-app-id',
},
cache: {
cacheLocation: "localStorage",
storeAuthStateInCookie: true,
forceRefresh: false
}
};
const loginRequest = {scopes: ['openid', 'profile', 'user.read']};
const msalClient = new Msal.UserAgentApplication(msalConfig);
msalClient.handleRedirectCallback(authRedirectCallBack);
singIn();
async function singIn() {
try {
msalClient.loginPopup(loginRequest).then(function (response) {
if (msalClient.getAccount()) {
console.log('logged');
}
});
} catch (err) {
console.log(err);
}
}
function authRedirectCallBack(err, response) {
if (err) {
console.log(err);
} else {
if (response.tokenType === "access_token") {
console.log('token', response);
}
}
}
1 个解决方案
解决方案1
2 2020-03-16 16:32:32
A redirect URI is required, as it is the main security mechanism we use to ensure the response is not returned to an unauthorized party, as the Implicit Flow relies on redirecting iframes/popups/windows back to your application with the response in the hash of the url.重定向 URI 是必需的,因为它是我们用来确保响应不会返回给未经授权的一方的主要安全机制,因为隐式流依赖于将 iframes/popups/windows 重定向回您的应用程序,其中响应的哈希值为网址。
Note, that if you use loginPopup/acquireTokenPopup/acquireTokenSilent, the end user will not really "see" this redirect page, as it is visited only briefly in either a hidden iframe (for acquireTokenSilent) or popup window.请注意,如果您使用 loginPopup/acquireTokenPopup/acquireTokenSilent,最终用户将不会真正“看到”这个重定向页面,因为它只会在隐藏的 iframe(对于acquireTokenSilent)或弹出窗口中被短暂访问。 As soon as MSAL.js sees that the iframe/popup has been redirected back to your application, the response is parsed and the popup/iframe is closed.一旦 MSAL.js 发现 iframe/popup 已重定向回您的应用程序,就会解析响应并关闭 popup/iframe。
We are working on a new version of the library that will switch to the Auth Code Flow w/ PKCE, which will not use hidden iframes, however, it will still use popups/redirects.我们正在开发一个新版本的库,它将切换到带有 PKCE 的 Auth Code Flow,它不会使用隐藏的 iframe,但是,它仍然会使用弹出窗口/重定向。
Can you further explain why you don't want your users to visit the redirect page?您能否进一步解释为什么您不希望您的用户访问重定向页面?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.