我有一个独特的场景,使用Open ID Connect中间件对Azure AD进行身份验证,现在一旦应用程序经过身份验证和会话建立,我就需要对位于同一服务器上的WebAPI服务进行AJAX调用。
我打算将服务器上缓存的Id / access令牌返回给客户端并将其存储在会话存储中。
这种方法是否有任何安全隐含,我的意思是通过ADAL JS或ADAL获得的令牌之间有什么区别吗?
答案 0 :(得分:2)
I don't recommend doing so. Access and ID tokens obtained by a confidential client are different form the ones obtained by a public one, and in Azure AD tokens issued via implicit flow have extra differences because of heuristics aimed at containing their size. There is a cleaner solution to your scenario. Once you signed in using OpenID Connect, your browser has a session cookie with Azure AD. If you inject in your pages a hidden iframe, and you use that iframe for driving implicit grant requests for tokens via javascript, you can have your JS frontend obtain its own tokens without having to circulate tokens acquired elsewhere in your topology. This is exactly what ADAL does for renewing tokens and for getting new tokens after sign in. Unfortunately we have no samples for this approach, but you can examine ADAL JS' source to see how that works.