问题描述
我正在开发一个Cordova应用程序,该应用程序(直到现在)已使用密码授予从Azure的Microsoft标准OAuth提供程序中检索JWT:
I am developing a Cordova app that has (until now) used a password grant to retrieve JWTs from Microsoft's standard OAuth provider in Azure:
https://login.microsoftonline.com/[tenant]/oauth2/token
工作正常.但是,我们正在向外部交易者开放我们的应用程序,所有者希望添加MFA.
It works fine. However, we are opening up our application to outside traders, and the owner wants MFA added.
因此,我在Azure中创建了MFA提供程序,并为MFA启用了测试帐户.
So, I have created an MFA provider in Azure, I have enabled a test account for MFA.
我当前正在使用InAppBrowser插件打开重定向请求-似乎可以正常工作-它会打开登录页面,显示文字,我将代码放入其中,然后完成登录到应用程序"初始屏幕(默认用户的Azure登录).
I am currently opening the redirect request using the InAppBrowser plugin - which seems to work - it opens to the login page, it texts, I put the code in, and then it completes login to the "Applications" splash screen (Default Azure login for users).
我的问题是确定登录成功,然后检索JWT.由于使用MFA,登录服务器现在在初始登录时返回以下"MFA"错误(不是真正的错误):
My issue is identifying that login was successful, and retrieving JWTs. Because of the MFA, the login server now returns the following "MFA" error on initial login (not really an error):
interaction_required
但是,一旦MFA完成,我不知道该去哪里获取我的令牌/刷新令牌.如果我重新提交登录名,即使在MFA流程中选择了"[X]天不再询问",它也会发送回"interaction_required"消息.
However, once MFA is completed, I have no idea where to go to get my token/refresh token. If I resubmit login, it just sends back an "interaction_required" message, even if "Do Not Ask Again For [X] Days" is selected during the MFA process.
我希望问题已经解决.让我知道是否可以,我会根据需要进行修改.
I hope the issue is clear. Let me know if not and I'll revise as necessary.
我当前未使用ADAL或任何cordova插件进行身份验证.我自己击中了端点.答案可能是我必须使用ADAL.
I am not currently using ADAL or any cordova plugins for authentication. I am hitting the endpoints on my own. The answer may be that I have to use ADAL.
推荐答案
好的,这就是问题.因为我使用的是密码授予,所以我没有碰到/oauth2/authorize端点-密码授予不是必需的-您直接进入/oauth2/token ...
Ok guys, here's the issue. Since I was using password grants, I was not hitting the /oauth2/authorize endpoint - it's not required with password grants - you go straight to /oauth2/token...
对于MFA,必须使用/oauth2/authorize.如果启用了MFA,它将为您重定向并处理所有操作(非常简单).您只需等待您的重定向URL,身份验证代码就是一个查询参数,因此很容易推断出来.
With MFA, /oauth2/authorize is mandatory. If MFA is enabled, it redirects and handles everything for you (very simple). You simply await your redirect url, the auth code is a query parameter, and thus is very easy to extrapolate.
浏览器重定向后,您将获取授权代码,然后将其提交给/oauth2/token服务器,没有用户名/密码(也不需要授权标头,这很好,因为您不需要不必两次询问-一次是MFA,一次是传递到/token-很好地致电Microsoft).
After the browser redirects, you grab the authorization code, and then submit it to the /oauth2/token server, without username/password (Authorization header also not required, which is good because you don't have to ask for it twice - once for MFA, and once to pass in to /token - good call Microsoft).
流量
testMFA = function () {
var url = "https://login.microsoftonline.com/[tenantID]/oauth2/authorize?client_id=[clientID]&response_type=code&response_mode=query";;
var target = "_blank";
var options = "location=yes";
inAppBrowserRef = cordova.InAppBrowser.open(url, target, options);
with (inAppBrowserRef) {
try {
addEventListener('loadstart', loadStartCallBack);
addEventListener('loadstop', loadStartCallBack);
addEventListener('loaderror', loadStartCallBack);
addEventListener('exit', loadStartCallBack);
}
catch (ex) {
alert(ex);
}
}
}
然后,在"loadStartCallBack"中:
Then, in 'loadStartCallBack':
else if (event.url.split('/')[2] == '[returnURLWithoutHttps://]') {
var fullstring = event.url.split('/')[3].split('?code=')[1]
var code = fullstring.split('&')[0];
var sess_state = fullstring.split('session_state=')[1];
localStorage.tokenCode = code;
sessionStorage.sess_state = sess_state;
inAppBrowserRef.close();
getToken();
}
然后,您将授权代码传递到/oauth2/token服务器,并收到您的令牌(我留给注释了密码授予的内容,供以后以密码授予开始的读者使用):
You then pass the authorization code into the /oauth2/token server, and receive back your token (I am leaving in password grant stuff commented, for future readers that started at a password grant):
var data =
'resource=[resourceURL]' +
//'&username=' + window.sessionStorage.loginUser +
//'&password=' + password +
'&client_id=' + clientId +
'&code=' + authCode +
'&grant_type=authorization_code' +
//'&grant_type=password';
'&response_type=token';
var dataFinal = encodeURI(data);
就是这样.希望有一天能对某人有所帮助.
That's it. Hope it helps someone some day.
这篇关于使用JWT OAuth 2.0令牌的Cordova应用程序中的Azure MFA的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!