问题
Azure AD v2.0 discusses one of their advantages as being Dynamic Consent (https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/api-scopes#request-dynamic-scopes-for-incremental-consent).
What is this supposed to look like? I thought a typical use case would be to supply what roles / scopes apply to a certain end point. For example the @OAuthBearer() annotation on:
@Get("/hello-auth")
@OAuthBearer({"scopes": ["app.special.scope"]})
helloAuth() {
return {text: "Authorised hello"};
}
I cannot find any information on how to do this. It seems to me (looking at the protocol diagram at https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow#protocol-diagram) that the only activity passport-azure-ad takes is to receive a bearer token and verify it. That makes sense, but then how are the scopes on the annotation assessed since they are server-side and thus not known about by the client to included in the token?
I asked this at https://github.com/AzureAD/passport-azure-ad/issues/430 but my contract ends next week and I want to finish this off, so cross-posted this.
As in that post, I thought of using the msal.js library but can't see how I'd make that work either.
Is there any best approach to this problem?
来源:https://stackoverflow.com/questions/56698377/passport-azure-ad-msal-js-and-dynamic-scopes