stackoom
  简体   繁体   中英

Adal angularjs - Azure active directory : hide id_token from URL/querystring

 原文  2021-06-05 09:34:18       angularjs/ azure-active-directory/ adal

Question

I'm using adal-angular js library- adal-angular for authentication which generates token. When login is made and it redirects, the token is appended to querystring like this https://localhost:8800/Index.html#id_token=eyJ0eXAiOiJKV1QiLCJhb...

Why this is happening, what should I do to avoid token on URL?

I've checked this and tried the solution but it's not working for me. Anything I'm doing is wrong? Can anyone please help me?

Here is the code I'm using,

app.js

var app = angular.module('app', [
  'ngRoute', 
  'AdalAngular',
]);

app.config([
  "$routeProvider",
  "$locationProvider",
  "adalAuthenticationServiceProvider"
  function (
    $routeProvider,
    $locationProvider,
    adalProvider
  ) {
      $locationProvider.hashPrefix("");
      adalProvider.init(configuration_object, $httpProvider);
 
     $routeProvider
     .when("/abcd", {
        templateUrl: urlBase + "abcd.html" + version,
        controller: "abcdCtrl",
        requireADLogin: true,
      })
     .otherwise({
        redirectTo: "/login",
      });
}

loginCtrl.js

angular.module("app").controller("loginCtrl", [
  "adalAuthenticationService",
  function (
    adalService
  ) {
        adalService.login();
    }
  }

1 answers

solution1
 0  2021-06-05 11:38:13

The token is returned in the query string because adal-angular uses the Implicit Grant, where the tokens are returned from the authorization endpoint directly instead of the app acquiring them from the token endpoint.

To hide them from the URLs, you will need to use the Authorization Code Grant with PKCE. This flow is supported only by the newer versions of MSAL.js, there is an Angular wrapper here: https://www.npmjs.com/package/@azure/msal-angular . You will also need to change your reply URLs to Single Page Application platform so that this newer flow is supported. If you want to know how this flow works, the documentation has some details: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow . Essentially, only an authorization code is passed in the URL, the tokens are acquired from the token endpoint with an HTTP request from your front-end.

Do note in both of these flows the tokens are still visible to the users of your app, since the code runs on their machines:)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AAD with JWT: Hide Id_Token from URL AngularJS Components and ADAL (Active Directory Azure Library for JS) ionic angular-adal windows azure active directory custom url scheme Angularjs + Google oauth2 + get id_token how to hide id from the url of the angularjs website Angularjs doesn't authenticate with Azure Active Directory Azure Active directory (ADAL) doesn't redirect you to the page you are trying to open when you have to login Google oauth2 get id_token AngularJS adal Authentication to Azure Blob Storage How to authenticate Angularjs application using Azure Active Directory Authentication Library?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM