问题
I have an SPA that authenticates a user, by using msal.js, against an app registrered at the Application Registration Portal. It successfully retrieves a token and everything is fine so far.
Then I have a ASP.NET Web API setup that should use the token from the SPA to make requests to Microsoft Graph on behalf of the user and this is where I run into trouble.
So far I've set up a OWIN middleware on the API that should validate the token before making a request to the graph but no matter what I try it's always invalid. I've tried UseOpenIdConnectAuthentication, UseOAuthBearerAuthentication and UseJwtBearerAuthentication but still no success. The SPA and the API uses the same Client ID and the issuer is set to https://login.microsoftonline.com/common/v2.0.
I've read a lot of SO questions and samples from MS but nothing seems to address this specific setup. According to this I at least think it is possible?
Here is the nuget packages I'm using:
<package id="Owin" version="1.0" targetFramework="net452" />
<package id="Microsoft.Owin" version="3.1.0" targetFramework="net452" />
<package id="Microsoft.Owin.Security" version="3.1.0" targetFramework="net452" />
<package id="Microsoft.Owin.Security.Jwt" version="3.1.0" targetFramework="net452" />
<package id="Microsoft.Owin.Security.OAuth" version="3.1.0" targetFramework="net452" />
<package id="Microsoft.Owin.Security.OpenIdConnect" version="3.1.0" targetFramework="net452" />
Am I using the correct packages, and is it even possible to set it up this way? Would love some pointers on what I'm doing wrong.
Thanks in advance!
回答1:
This problem is precisely solved by the "OAuth 2 On-Behalf-Of flow". This is documented for the AAD V2 App Model here.
The OAuth 2.0 On-Behalf-Of flow serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from Azure Active Directory (Azure AD), on behalf of the user.
来源:https://stackoverflow.com/questions/45488185/authenticating-against-microsoft-graph-with-spa-and-then-using-token-in-web-api