问题
I want to add authentication to my app using Azure AD
Right now my flow is like
User -> AngularApp -> Azure Login -> AngularApp w/token -> API Call to backend w/token -> API Backend verifies token with Azure each call
I have following questions:
- Is there a better way to do this?
- Every API call is verified with azure. Is is required?
- Should i have two different client id for UI and API?
回答1:
Is there a better way to do this?
This is the standard way.
Every API call is verified with azure. Is is required?
Your API back-end does not verify the token with AAD each time. It downloads the public signing keys for Azure AD at startup (if you use standard components), and verifies the token using them.
Should i have two different client id for UI and API?
When you make a v2 application through the new App registrations experience, you can define the front-end and back-end API in a single app quite nicely. You can also define them as separate apps.
回答2:
What do you mean better? (less redirects?)
What you describe is a standard OpenID Connect flow that is used all over web right now. Whenever you are using your google, facebook, github login to log to some other page you are using that standard.
It is pretty secure and easy way of doing authorization/authentication on the web these days.
A little side note make sure that the token is valid for appropriate amount of time.
来源:https://stackoverflow.com/questions/53493931/azure-ad-auth-with-angular-and-netcore2-webapi