如何在静态Web应用中获取Azure AD访问令牌?
我有一个普通的 Vue.JS SWA,它通过 staticwebapp.config.json 中的这些设置使用标准 Azure AD 身份验证:
"auth": {
"identityProviders": {
"azureActiveDirectory": {
"registration": {
"openIdIssuer": "https://login.microsoftonline.com/common/v2.0",
"clientIdSettingName": "AZURE_CLIENT_ID",
"clientSecretSettingName": "AZURE_CLIENT_SECRET"
}
}
}
}
在 Azure AD 中注册了具有 AZURE_CLIENT_ID 的应用。身份验证是通过标准
/.auth/login/aad
端点调用的。我可以成功登录和注销。 “/.auth/me”端点返回包含所有用户详细信息(角色、ID 等)和声明的 clientPrincipal 对象。
现在我想调用 MS graph API https://graph.microsoft.com/v1.0/我,但不知道如何获取访问令牌以在请求中设置授权标头。我可以看到设置了一个 AppServiceAuthSession cookie,但它不是令牌。
我已经看到了这个 https://stackoverflow.com/questions/59860238/how-to-convert-azure-cookie-appserviceauthsession-to-a-valid-oauth-jwt-access-to ,但是重建整个身份验证流程看起来没有必要,因为我已经登录了。
将不胜感激任何建议。非常感谢!
尝试按原样使用所有 MS Graph API,但正如预期的那样,收到“消息”:“访问令牌为空”。 还查看了 azure/msal-browser 模块,希望能够默默地获取令牌,但对于像我这样的 JS 新手来说,它看起来超级复杂且文档记录很差。
I have a vanilla Vue.JS SWA that uses a standard Azure AD authentication via these settings in staticwebapp.config.json:
"auth": {
"identityProviders": {
"azureActiveDirectory": {
"registration": {
"openIdIssuer": "https://login.microsoftonline.com/common/v2.0",
"clientIdSettingName": "AZURE_CLIENT_ID",
"clientSecretSettingName": "AZURE_CLIENT_SECRET"
}
}
}
}
An app with AZURE_CLIENT_ID is registered in Azure AD. Authentication is called via standard
/.auth/login/aad
endpoint. I can successfully log in and log out. "/.auth/me" endpoint returns clientPrincipal object with all user details (roles, id, etc) and claims.
Now I want to call MS graph API https://graph.microsoft.com/v1.0/me, but don't know how to get the access token to set the Authorization header in the request. I can see that there is a AppServiceAuthSession cookie is set, however it is not a token.
I have seen this https://stackoverflow.com/questions/59860238/how-to-convert-azure-cookie-appserviceauthsession-to-a-valid-oauth-jwt-access-to , however reconstructing the whole auth flow looks unnecessary as I am logged in already.
Will appreciate any advice. Many thanks!
Tried to all MS Graph API as is, but as expected, got "message": "Access token is empty."
Also had a look at azure/msal-browser module in a hope to get the token silently, but it looks super complex and badly documented for a JS novice like me.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
它看起来目前不支持,请参阅此 github 问题:将访问令牌添加到用户详细信息端点。
Its look like its currently not supported see this github issue: Add access token to user details endpoint.
以下微软文档显示了代表用户获取访问权限,您可以参考此DOC 获取访问令牌。
希望这有帮助。
The following microsoft document shows getting the access on behalf of the user, you can refer this DOC to get the access token.
Hope this helps.
不幸的是,看起来此功能不适合Azure静态Web应用程序。
我找到了一个解决方法,可以帮助某人(如果您使用JavaScript MSAL)
可以使用从
/。auth/Meendpoint检索到的loginhint来悄悄地检索您的auth token token。可以发送到您的后端API。参见“ nofollow noreferrer”>应用有关更多信息
It does look like this feature is not available for Azure Static Web Apps unfortunately.
I have found a workaround which might be able to help someone (if you're using Javascript MSAL)
You can use the loginHint retrieved from the
/.auth/meendpoint to quietly retrieve an auth token that you can send to your backend API.See SSO between different apps for more info