发表新帖
发表新帖

passport-azure-ad: which strategy to use

后端 未结
关注
1 1380
半阙折子戏
半阙折子戏 2021-02-02 04:27

We have front end developed in AngularJS and backend APIs in NodeJs. We are using Azure AD for authentication. Frontend Angular is using adal-angular javascript library for azur

1条回答
  • 小鲜肉
    小鲜肉 (楼主)
    2021-02-02 04:53

    I maintain passport-azure-ad. The difference here is between "authorization" and "authentication".

    OAuth2 is used for authorization (do I have access to this?).

    OpenID Connect is used for authentication (this is who I am).

    When you are connecting to web APIs, the user most likely already has an identity (they've been through authentication) and now you just want to ensure that the user has access to the APIs (authorization). OAuth2 is used to protect resources and consumes tokens from an IdP to ensure tokens are valid and that the user has access to that resource. Bearer is just the type of token that we (and the industry) use for OAuth2. If someone comes to you without a token at all, you reject them and then it's up to the client that called you to know where to take them to get the right token you need.

    OpenID Connect is built on top of OAuth2 and is purely for logging people in and getting the tokens that you will then eventually send to a Web API (which would in turn use OAuth2 with Bearer token). So OpenID Connect is used for authentication.

    In your scenario you are using Angular which is doing the OpenID Connect authentication for you, so your Web APIs should be using The Bearer strategy.

    I have written a sample that walks you through all of this here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-webapi-nodejs/ that uses the MEAN stack, and which uses an iOS sample application I wrote as a front end. Playing with both of these, it's easy to see how one acts as the authentication piece (iOS app) and the other sits there and protects the API acting as the authorization piece (the node.js app)

    Code for node.js app: https://github.com/Azure-Samples/active-directory-node-webapi

    Code for iOS app: https://github.com/Azure-Samples/active-directory-ios

    Deeper dive in to these topics is here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/

    Let me know if you have any other questions!

    0 讨论(0)
 看不清?
提交回复
热议问题