我正在研究一个包含以下活动部分的解决方案:
UI(Google App Maker)<=> API(内置dotnet Core)
当前,我已经在API端实现了JWT身份验证。 UI每次调用API时,都会通过传递一部分Active Directory之外的用户名/密码来进行身份验证并获得令牌。但是,来自内部团队的安全审查建议我在“ PING Federate”(我是此工具的新手)生成的UI中使用令牌,这是Corporate G Suite登录机制的一部分,然后将其传递给API,然后修改API以检查PING令牌是否有效以授权调用方。
我想象这样的流程:
1. User enters UI DNS entry on the browser.
2. User is asked to log into google.
3. Google detects is a corporate account and redirects to our corporate PING sign in page.
4. User enters corp credentials and is redirected to the UI.
5. Fetch token programatically in the UI(Google App Maker) to pass it to the API( This is the step I'm not sure how to approach or if it is even possible).
6. API validates PING token and returns a response.
第5步是否还可能?如果可以的话,我将不胜感激。