问题
Hy All
We have the following Scenario:
Single Page Application (AngularJS based, Azure-AD protected). Like in this sample: https://github.com/AzureADSamples/SinglePageApp-AngularJS-DotNet
Separate REST Service (WebAPI only, Azure-AD protected) with BusinessLogic, DAL, DataBase-Connectivity
Security over Azure AD (ADAL)
Azure-Configuration:
- Two WebApps (SPA and REST Service)
- One Directory with the above two Web-Apps as Applications
- SPA is allowed to call the REST Service
Security-Configuration of the SPA:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:SPAAudience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
});
}
...the same for the Web-API (with the WebAPIAudience).
Flow:
- Client (Browser, Internet) -> WebAPI SPA (DMZ) -> REST-Service (Internal)
We cannot use Cors and need the above proxy-like Scenario, because the REST-Service is internal.
My Question:
- How can we call the WebAPI REST Service from the SPA with the signed-in user's permissions (from the SPA Authentification)?
Thanks for your help!
Peter
Edit: What I've found out so far:
- Oauth2 is using the application identity for Authentication (not the User)
What we want to achieve at the end:
- A role based access control (RBAC) on the REST-Service Side
Questions:
Can we use Oauth2 for that purpose (RBAC) or do we need OpenID Connect like in the example: WebApp-GroupClaims-DotNet (Azure AD Example)
Can we use Oauth2 for calling the REST-Service from the SPA with the Application credentials or do we need OpenID Connect like in this example: WebApp-WebAPI-OAuth2-AppIdentity-DotNet (Azure AD Example)
What is the best practice in this Scenario?
Thanks.
来源:https://stackoverflow.com/questions/29511094/howto-call-from-spa-angularjs-based-azure-ad-protected-to-webapi-webapi-onl