oauth - Azure AD: Mixing SPA with delegated user identity scenario -
i intend develop single-page-application has web api backend call other web apis on user's behalf. struggle how this.
i looked @ list of azure ad scenarios ms none of seems fit case.i think scenario mixture of spa , "web application web api" scenario link.
from understand must accomplish spa-client retrieves authorisation code , id token azure ad auth endpoint first, send them backend. backend request azure ad token endpoint needed access tokens.
is correct? how can (with adal.js)? find examples client using implicit flow, getting authorisation code skipped , end directly access token. possible @ all?
you're understanding pretty close. after configuring scenario in azure portal (see code sample on configuring scenario), you'll log in user , request access token web api. when web api receives access token, can perform on-behalf-of request azure ad requesting access downstream web api. on success, azure ad issue web api new access token can use downstream api.
in terms of support, single page app need use adal.js login user , access tokens. on web api side, azure ad supports on-behalf-of flow through adal .net , adal java. 1 nuance you'll want protect endpoints , validate tokens on web api, azure ad has built owin middleware .net, require open source equivalent java web api.
here great sample of on-behalf-of flow in action. has both single page app , native app calling .net web api.
Comments
Post a Comment