stackoom
  简体   繁体   中英

Multi-tenant ADAL JS SPA along with an Azure AD web application back-end

 原文  2016-09-08 18:25:44       angularjs/ azure/ authentication/ adal/ adal.js

Question

I'm currently trying to implement a multi-tenant Azure AD application that will use Microsoft Graph API's to monitor and analyze Office 365 "metadata" for members of the tenant domain. For example, the application might monitor One Drive user space over time. The architecture of the application will include an AngularJS SPA client along with a web application back-end. The idea is that the web application allows for both local registration (eg traditional sign up using an email address and password) in addition to Azure AD authentication. In the case of local registration, the user might be able to associate an Azure AD tenancy with the local account in the future, for example.

I'm struggling to understand how various authentication mechanisms should work. For example, I think that there should be two levels of authentication in the case of Azure AD: one authentication for the users of the client SPA, and another authentication used by the back-end for making continuous calls to the Microsoft API's, requesting refresh tokens, etc.

  • How might this architecture be implemented using the various Azure AD authentication scenarios Microsoft has already provided examples for?
  • If my initial inclination that I will have two applications registered with Azure AD (for example, the SPA registered as a native application, say, and the web application registered by itself), how will users allow access to both of them, and what would this workflow look like? In addition, what would the flow of user requests look like? The SPA would make a request to the back-end using its Azure AD token, but what will the back-end do to receive its authentication token and make calls to the Microsoft API's?
  • How might I best incorporate Azure AD authentication along with local registration into my application?

1 answers

solution1
 0  2016-09-12 02:56:24

Generally speaking, you can associate your each user to his entity in Azure AD tenant in your backend server / database. As every user in Azure AD has several unique properties in the entity object. You can use the user's email or objectId as mentioned at Claims in Azure AD Security Tokens as the external column in your user table.

When your user authenticate your site via ADAL.JS , you can grab the access token in your backend server via the Authentication header. You can use the access token to request for the resources protected by Azure AD. And the access token is a JWT token, which you can decode directly to get the user basic claims as we mentioned before. You can retrieve the claim which you stored in your user table and match the special user registered in your server for requesting the resource protected by your self.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question securing SPA multi-tenant SaaS application Make Azure AD B2C Application a Multi-Tenant Application AngularJS SPA with ASP.NET Web API back-end Web Application front-end and back-end misunderstanding back-end vs front-end controlled web application How back-end works with an Angular web app multi user AngularJS, .NET Web API, and back-end authorization when returning views in a SPA Best way to load customer parameters in a multi-tenant angularJS application Setting up test data for full-stack testing of a single page web application and its back-end ADAL JS Forced Logout in SPA
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM