从 Angular 调用 Azure 函数 API Static Web 带有 Azure Active Directory 授权的页面前端
[英]Call Azure Functions API from Angular Static Web Page Frontend with Azure Active Directory Authorization
问题描述
Both my Frontend and Backend(Azure Functions) are secured by Azure Active Directory(AAD).
我的前端和后端(Azure Functions)都受到 Azure Active Directory(AAD)的保护。
Frontend: I have implemented MSAL in Angular the way its described here: ( https://www.pshul.com/2020/02/07/azure-ad-authentication-from-angular-to-azure-functions/ ).前端:我已经按照此处描述的方式在 Angular 中实施了 MSAL:( https://www.pshul.com/2020/02/07/azure-ad-authentication-from-angular-to-azure-functions/ )。 Now, when opening my Angular Webpage, i get redirected to a Microsoft Login, which only accepts correct users and accounts, which seem to work.现在,当打开我的 Angular 网页时,我被重定向到 Microsoft 登录,它只接受正确的用户和帐户,这似乎有效。
Backend: My backend endpoints do not allow requests without a valid id_token from an registered Account.后端:我的后端端点不允许来自已注册帐户的没有有效 id_token 的请求。 All requests with an invalid token will result in a 401 (Unauthorized) error, which also seems to work.所有带有无效令牌的请求都将导致 401(未授权)错误,这似乎也有效。
The problem lies in calling backend functions from my frontend, or rather in getting an id_token: When i have logged in in the frontend like i have described above, i want to store the id_token and have my intercepter send it with every request, so i dont need an additional login every request.问题在于从我的前端调用后端函数,或者更确切地说是获取一个 id_token:当我像上面描述的那样登录到前端时,我想存储 id_token 并让我的拦截器在每个请求中发送它,所以我不需要每次请求都额外登录。 In the link I mentioned this seemed to be handled by MSAL and MSALInterceptor, which didnt work for me (it didnt send any bearer token to the backend), so I had my own interceptor grab the token from the localStorage.在我提到的链接中,这似乎由 MSAL 和 MSALInterceptor 处理,这对我不起作用(它没有向后端发送任何不记名令牌),所以我让我自己的拦截器从 localStorage 获取令牌。 The problem is, that the token from the localStorage also results in a 401 Error, so it seems to be invalid.问题是,来自 localStorage 的令牌也会导致 401 错误,因此它似乎无效。 When i am not misunderstanding, when logging in, it calls the login and gets an id-token from https://MyAzureWebPage/.auth/me, which it stores in the local storage, but that token doesnt work.当我没有误解时,登录时,它调用登录并从 https://MyAzureWebPage/.auth/me 获取一个 id-token,它存储在本地存储中,但该令牌不起作用。 When calling https://MyAzureWebPage/.auth/me manually and using that id_token with postman, it works.当手动调用 https://MyAzureWebPage/.auth/me 并将该 id_token 与 postman 一起使用时,它可以工作。 Does anybody know what im doing wrong or where i can get the correct id_token?有谁知道我做错了什么或者我在哪里可以获得正确的 id_token?
Here is my MSAL configuration, maybe im doing something wrong there:这是我的 MSAL 配置,也许我在那里做错了什么:
MsalModule.forRoot({
auth: {
clientId: 'myCliendAdd',
authority: "https://login.microsoftonline.com/myTenantID",
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: isIE, // Set to true for Internet Explorer 11
},
},
{
popUp: !isIE,
consentScopes: [
'user.read',
'openid',
'profile',
],
unprotectedResources: [],
protectedResourceMap: [
['https://MyAzureWebPage/.auth/me', ['user.read']]
],
extraQueryParameters: {}
}),
providers: [
AuthGuard,
RoleGuard,
{ provide: HTTP_INTERCEPTORS, useClass: MsalInterceptor, multi: true }
],
bootstrap: [AppComponent],
})
For some reason, the token i get from the msal (example:出于某种原因,我从 msal 获得的令牌(例如:
this.broadcastService.subscribe("msal:acquireTokenSuccess", payload => {
console.log(payload)
});
and from the localStorage is different from the token i get when i call https://MyAzureWebPage/.auth/me, which is the only one which seems to work并且 localStorage 不同于我调用 https://MyAzureWebPage/.auth/me 时获得的令牌,这是唯一一个似乎有效的令牌
If you need any further information I will add it here如果您需要任何进一步的信息,我将在此处添加
1 个解决方案
解决方案1
0 2020-11-12 03:36:50
If you want to call Azure function projected by Azure AD in angular application, please refer to the following code如果想在angular应用中调用Azure AD投影的Azure function,请参考以下代码
Create Azure AD application to protect function
创建Azure AD应用保护functionRegister Azure AD application.
注册Azure AD申请。 After doing that, please copy Application (client) ID and the Directory (tenant) ID完成后,请复制应用程序(客户端)ID和目录(租户)IDConfigure Redirect URI .
配置重定向 URI 。 Select Web and type <app-url>/.auth/login/aad/callback.Select Web并输入<app-url>/.auth/login/aad/callback。Enable Implicit grant flow
启用隐式授权流程Define API scope and copy it
定义 API scope 并复制Create client secret.
创建客户端密钥。
Enable Azure Active Directory in your App Service app
在应用服务应用中启用 Azure Active DirectoryCreate Client AD application to access function
创建Client AD应用访问function- Register application注册申请
- Enable Implicit grant flow启用隐式授权流程
- configure API permissions.配置 API 权限。 Let your client application have permissions to access function让你的客户端应用有权限访问function
- Register application
Code
代码
MsalModule.forRoot(
{
auth: {
clientId: '232a1406-b27b-4667-b8c2-3a865c42b79c',
authority:
'https://login.microsoftonline.com/e4c9ab4e-bd27-40d5-8459-230ba2a757fb',
redirectUri: 'http://localhost:4200/',
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: isIE, // set to true for IE 11
},
},
{
popUp: !isIE,
consentScopes: [
'user.read',
'openid',
'profile',
'<your function app scope your define>',
],
unprotectedResources: [],
protectedResourceMap: [
[
'<your function app url>',
[<your function app scope you define>],
]
],
extraQueryParameters: {},
}
),
],
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.