使用Azure AD OAuth 2.0保护node.js服务器

Question

我在node.js中编写了一个小服务器，并将其部署到Azure WebApp。我想使用Azure AD OAuth添加服务到服务身份验证（如此flow）。我在另一个使用Katana的WebApi服务中做了这个。
所以，我为此找到了official库，它运行得很好。唯一的问题是库使用ursa模块，它是一个本机模块。而且，与解释here一样，使用本机模块部署WebApp并不容易。
所以，我的问题是 - 最好的方法是什么？如何使用Azure AD OAuth完成身份验证？
谢谢，
奥马尔

Answer 1

Take a look at the Authentication / Authorization feature of Azure Web Apps. It allows you to do OAuth 2.0 service-to-service auth flows using Azure AD, no code changes necessary (also, it works with any stack, not just node.js).

More high-level info here: http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/

The post is a bit dated and doesn't mention the recently added support for APIs, but if your client can acquire an OAuth token from Azure AD, you can send it to your node.js server as a bearer token in the Authorization header of your HTTP request and have the authorization just work.

Two things to be aware of if you go down this route:

1. Authentication / Authorization currently blocks ALL unauthenticated access to your node.js API. You won't be able to say that some APIs are protected and some are not.
2. The JWT token that you send to your node.js API must use the client_id GUID value as the value for the "aud" claim. Using the app URI (as shown in some Azure AD samples) will not work.

Give it a try and see if it works for you.