您的位置: 首页  >  技术问答  >  使用来自ADFS的OAuth2访问令牌对Web UI进行身份验证

使用来自ADFS的OAuth2访问令牌对Web UI进行身份验证

分类: 技术问答 2022-03-13 17:03:52

使用来自ADFS的OAuth2访问令牌对Web UI进行身份验证

问题描述:

在Ionic移动应用程序中,我们需要访问Web API ,以在Ionic WebView(本质上是应用程序内的浏览器)中显示Web UI(均为SharePoint).我们正在Windows Server 2012和OnPrem SharePoint 2013上使用OnPrem ADFS.这是我们的工作:

In an Ionic mobile app, we need to access the web API and to show a Web UI (both SharePoint) in an Ionic WebView (essentially a browser inside the app). We're using OnPrem ADFS on Windows Server 2012 and OnPrem SharePoint 2013. Here's what we do:

1.在ADFS3中,设置OAuth2 并添加依赖方信托和客户

1. In ADFS3, Setup OAuth2 and add a Relying Party Trust and a Client

http://www.gi-architects.co.uk/2016/04/setup-oauth2-on-adfs-3-0/

2.在移动应用中,调用ADFS以获取OAuth访问令牌

首先,获取:

https://myadfsdomain/adfs/oauth/authorize
    ?response_type=code
    &client_id=MYCLIENTID
    &redirect_uri=https://myserver/callback
    &resource=MYRelyingPartyId

然后发布responseCode例如:

then POSTing the responseCode Eg:

$http({method: "post", 
   headers: {'Content-Type': 'application/x-www-form-urlencoded'}, 
   url: "https://myadfsdomain/adfs/oauth2/token", 
   data: "client_id=MYCLIENTID&code=" + responseCode + "&redirect_uri=https://myserver/callback&grant_type=authorization_code"  })

另请参见 http://blog .scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html

我们现在有了OAuth2访问令牌.

We now have an OAuth2 Access Token.

3.使用该令牌调用SharePoint API 

GET /the-api-method
 Host: example.com
 Authorization: Bearer <access_token>

问题

Question

问题是,该访问令牌如何用于访问Web UI?是否可以将其交换为SharePoint Web UI cookie( FedAuth ?),以便放置在应用程序中的WebView可以向经过身份验证的用户显示SharePoint网页,而无需用户再次登录?

Question is, how can that access token be used to access the Web UI? Can it be exchanged for a SharePoint Web UI cookie (FedAuth?) so that a WebView placed in the app can show a SharePoint web page to the authenticated user without the user having to login again?

根据这篇文章,听起来好像OAuth2 for ADFS3(Windows Server 2012)仅在调用Web API时有效,而不是在调用网络用户界面时.正确吗?

According to this post, it sounds like OAuth2 for ADFS3 (Windows Server 2012) only works when calling a web API, NOT when calling a web UI. Is that correct?

作为Windows Server 2016上的ADFS 现在支持更多OAuth2授予​​类型,现在是否可以在服务器2016中为Web UI使用ADFS OAuth?如果是这样,如何将访问令牌交换为cookie?

As ADFS on Windows Server 2016 now supports more OAuth2 grant types, is it now possible to use ADFS OAuth in server 2016 for a web UI? If so, how does the access token get exchanged for a cookie or does it?

是的-ADFS 3.0仅处理机密客户端(即Web API)的授权代码授予.

Yes - ADFS 3.0 only handles authorisation code grant for confidential clients i.e. web API.

在ADFS 4.0中,您支持OpenID Connect.这将打开网站方案.这为您提供了令牌,您可以随后使用令牌来访问Web API.

In ADFS 4.0, you have support for OpenID Connect. This opens up the web site scenario. This gives you a token that you can then use to access a web API.

请查看在网络中调用网络API使用Azure AD和OpenID Connect的应用程序.这使用Azure AD,但原理是相同的.

Have a look at Calling a web API in a web app using Azure AD and OpenID Connect. This uses Azure AD but the principle is the same.

相关推荐