使用 MSAL 时,如何避免为 Blazor 服务器使用客户端密码或证书?
[英]How do I avoid using a client secret or certificate for Blazor Server when using MSAL?
问题描述
When using Blazor Server and the MSAL library you must provide either a client secret or a client certificate.
使用 Blazor 服务器和 MSAL 库时,您必须提供客户端密码或客户端证书。 Here is what a Blazor Server project uses to setup the authentication out of the box.这是 Blazor 服务器项目用来设置开箱即用的身份验证的内容。
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
However in the Blazor WASM (Or Blazor Client) project they set things up this way然而,在 Blazor WASM(或 Blazor 客户端)项目中,他们是这样设置的
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
});
Obviously this method doesn't require a Client Secret for security reasons.显然,出于安全原因,此方法不需要客户端密码。 The AddMsalAuthentication() method that it uses is only found in the WebAssembly MSAL library.它使用的AddMsalAuthentication()方法只能在 WebAssembly MSAL 库中找到。
We don't use a key vault as our company doesn't want to pay for one at this time.我们不使用密钥保管库,因为我们公司目前不想为此付费。 So we have to manually update all the client secrets every 24 months.所以我们必须每 24 个月手动更新所有客户端机密。 To avoid this we want to try to implement a public client flow in our Blazor Server apps.为避免这种情况,我们想尝试在我们的 Blazor 服务器应用程序中实施公共客户端流程。 We already have a bunch of them so we don't want to have to move them to WebAssembly.我们已经有了很多,所以我们不想将它们转移到 WebAssembly。
I did try to implement using a public client builder manually but the .AddMicrosoftIdentityWebApp() portion would still require a client secret to allow the first login.我确实尝试过手动使用公共客户端构建器来实现,但是.AddMicrosoftIdentityWebApp()部分仍然需要客户端密码才能允许首次登录。
In Blazor Server is there a way to implement the same behavior as the WebAssembly authentication, in other words, can we avoid using Client Secrets and Certificates?在 Blazor Server 中有没有办法实现与 WebAssembly 身份验证相同的行为,换句话说,我们可以避免使用 Client Secrets 和 Certificates 吗?
1 个解决方案
解决方案1
0 2022-04-25 04:44:51
I would recommend to do as the following to be able to retrieve access token without client secret.我建议按照以下步骤进行操作,以便能够在没有客户端密码的情况下检索访问令牌。
Statup class:启动 class:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(o => {
o.UsePkce = true;
o.ClientId = "clientId";
o.TenantId = "tenantId";
o.Domain = "domain.onmicrosoft.com";
o.Instance = "https://login.microsoftonline.com";
o.CallbackPath = "/signin-oidc";
o.Scope.Add("scopeApi1");
o.Scope.Add("offline_access");
o.ResponseType = "code";
var defaultBackChannel = new HttpClient(); defaultBackChannel.DefaultRequestHeaders.Add("Origin", "thisismyapp");
o.Backchannel = defaultBackChannel;
});
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.SaveTokens = true;
options.Events.OnTokenValidated = async context =>
{
// Here you will be able to see the accesstoken.
var accessToken = context.TokenEndpointResponse.AccessToken;
var refreshToken = context.TokenEndpointResponse.RefreshToken;
};
});
In your case change the "service" to "builder.Services".在您的情况下,将“服务”更改为“builder.Services”。 Then in the _Host.cshtml然后在 _Host.cshtml
var accessToken = await HttpContext.GetTokenAsync("access_token");
var refreshToken = await HttpContext.GetTokenAsync("refresh_token");
<component type="typeof(App)" param-AccessToken="@accessToken" param-RefreshToken="@refreshToken" render-mode="Server" />
In App.razor:在 App.razor 中:
[Parameter]
public string AccessToken { get; set; }
[Parameter]
public string RefreshToken { get; set; }
From here you will be able to do what ever you want with the accesstoken..从这里你将能够使用访问令牌做任何你想做的事..
Some issue i have been facing with this, is how to get a new accesstoken with the refreshtoken without client secret.我一直面临的一些问题是如何在没有客户端密码的情况下使用刷新令牌获取新的访问令牌。 If you figure it out, let me know.如果你弄明白了,请告诉我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.