我正在try 设置MSAL库以登录到Azure AD.使用APP_INIT中的重定向流,我能够登录并获得令牌.这是我使用的配置:
export function MSALInstanceFactory(): IPublicClientApplication {
return new PublicClientApplication({
auth: {
clientId: '4015ef49-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
authority: 'https://login.microsoftonline.com/2716828a-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
protocolMode: ProtocolMode.OIDC,
redirectUri: '/',
postLogoutRedirectUri: '/'
},
cache: {
cacheLocation: BrowserCacheLocation.LocalStorage,
storeAuthStateInCookie: false
},
system: {
// ... just logging
}
});
}
export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
const protectedResourceMap = new Map<string, Array<string>>();
protectedResourceMap.set('/', ['api://15c38238-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api.test']);
return {
interactionType: InteractionType.Redirect,
protectedResourceMap
};
}
一切正常,当用户导航到页面时,他们立即被重定向到Azure登录屏幕,经过身份验证,导航回来,可以看到连接到user/getInfo
端点的持有者令牌.
RAQABAAIAAAD--DLA3WO7QrddgJg7WeWrjQWKU1S2_FUBT2YAGgf8warZb_WeNfmM_d77BrbdQ8YxZ1rRq6xlREbnz1C5GRF1MikYUBKMs4wCUFbKju3AniERix1K1ZISi3RNgQjyS4rILQ8JhYfYL5adMWzfr1UjKheKZkdG8aZRHfRxi7DZua3WLYW5sAdBRWYttjQXWIJeFmRZbLDHUhhdYSRSxHGRli4tXQkcJtRtJOcWRY3EmQOAARRqcLJr8R3-EgRsmM3HNdGwbfBqRsjnNE6uass_t3YIzMib_CsfZAHGWnReutIl-x83a_wjWAWff8o3NlA65LXwaCI08n-Yeo8ji8-1fnS0iw1zEUh-nLsfdDCRWs0aF-zkuyoZSq52r28u2ujRz4HddWScQsZJJ6sUJCWScWGgLwXKGagEcyCHcIjZ-0-c5yIzyqRlcWRry5ZaqCTndU3GDhRmqDki5F1qQkY1HExqHKWxJDRH87YZ4brXrIdqLt1d8R2ufrqbWRQHMQHNqMCU8hNbS80mfEsnClf4OLNIQqW0A3LKyKIecuUnK5YCxtIhb8R8hUW4-M17hnG-5GmfRZOGODhbTqsYos1cIAA
但是,正如你所看到的,它是一根不透明的绳子,我不知道它包含什么.当我判断ID令牌时,我看到AUD属性的值是配置中提供的clientId
:
aud: '4015ef49-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
然后,当我判断本地存储时,我可以找到一个包含提供的Web API资源的密钥:
target: "api://15c38238-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api.test"
Be Guy告诉我,持有者是不正确的,它应该是我们可以解析的标准JWT.我不知道这是对是错.
那么我们都对AUD
有疑问,它不是应该等于Web API clientId
吗?是像这样吗?
aud: '15c38238-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
目前,我们的REST API抛出了401,我不知道这是因为FE端的一些错误配置,还是BE的问题?我的配置正确吗?