如何使用node-adal和OWIN配置Azure AD OAuth2

如何配置OWIN来验证使用node-adal从Azure AD收集的accesstoken请求?

下面的启动类:

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
  {
    AuthenticationMode = AuthenticationMode.Active,
    AllowedAudiences = new []
    {
      ConfigurationManager.AppSettings["ida:ClientId"] // AAD clientid from registered application
    },
    IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
    {
      new SymmetricKeyIssuerSecurityTokenProvider(
        ConfigurationManager.AppSettings["ida:Issuer"], // https://sts.windows.net/<tenantid-guid>/ retrieved from AAD federationmetadata.xml
        TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]) // AAD secret from registered application
      )
    }
  });

下面节点adal的令牌响应:这里描述的实现

{
  tokenType: "Bearer",
  expiresIn: 3599,
  expiresOn: "2016-10-19T13:49:47.649Z",
  resource: "spn:00000002-0000-0000-c000-000000000000",
  accessToken: "removed for brevity", 
  refreshToken: "removed for brevity",
  userId: "user@domain.com",
  isUserIdDisplayable: true,
  familyName: "familyName",
  givenName: "givenName",
  identityProvider: "live.com",
  oid: "oid-guid",
  tenantId: "tenantid-guid"
}

使用

发送来自上述节点响应的accesstoken。

Authorization: Bearer accesstoken-here

使用返回 的[Authorize]属性将

发送到安全端点

{"message":"Authorization has been denied for this request."}

编辑显示新旧方法，旧的作品-新的不

  // this is new version (using clientsecret, aka AD web app)
  var issuer = ConfigurationManager.AppSettings["ida:Issuer"];
  var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]);
  app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
  {
    AuthenticationMode = AuthenticationMode.Active,
    AuthenticationType = OAuthDefaults.AuthenticationType,
    Provider = new OAuthBearerAuthenticationProvider(),
    AccessTokenFormat = new JwtFormat(
      new[] { ConfigurationManager.AppSettings["ida:ClientId"] }, 
      new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) }
    )
  });
  // this is old version (not using clientsecret, aka AD native app), this works but all my code is in the Angular Single Page app, I am trying to move the auth code into the node server to secure all access
  app.UseWindowsAzureActiveDirectoryBearerAuthentication(new WindowsAzureActiveDirectoryBearerAuthenticationOptions
  {
    Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
    TokenValidationParameters = new TokenValidationParameters
    {
      ValidAudiences = new[]
      {
        ConfigurationManager.AppSettings["ida:AudienceImplicit"],
        ConfigurationManager.AppSettings["ida:AudienceDaemon"]
      }
    }
  });

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
    new WindowsAzureActiveDirectoryBearerAuthenticationOptions
    {
        Audience = ConfigurationManager.AppSettings["ida:Audience"],
        Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
    }
);