MSAL-使用来自不同目录的两个不同的clientid

时间:2019-08-09 05:39:38

标签: azure azure-active-directory msal

我有一个应用程序,将由两个不同的实体使用,并且每个实体都有自己的Azure Active Directory。

最初,我使用的代码是:

var msalConfig = {
        auth: {
            clientId: '<client-id-1>'
            authority: "https://login.microsoftonline.com/<tenant-id>" 
        },
        cache: {
            cacheLocation: "localStorage",
            storeAuthStateInCookie: true
        }
    };

现在我想做的是,我可以输入两个不同的客户ID和租户ID吗?

我可以在第一个AAD中使用多个租户,但我想将其限制为仅两个租户。我在这里应该采取什么方法?

2 个答案:

答案 0 :(得分:1)

您可以尝试使用Factory模式并创建一个为适当的客户端实例化clientApplication的方法。例如:

const msalConfigFoo = {
        auth: {
            clientId: '<client-id-1>'
            authority: "https://login.microsoftonline.com/<tenant-id>" 
        },
        cache: {
            cacheLocation: "localStorage",
            storeAuthStateInCookie: true
        }
    };

var msalConfigBar = {
        auth: {
            clientId: '<client-id-2>'
            authority: "https://login.microsoftonline.com/<tenant-id>" 
        },
        cache: {
            cacheLocation: "localStorage",
            storeAuthStateInCookie: true
        }
    };

function getClientApplication(clientType) {
   if (clientType == "foo") {
      return new Msal.UserAgentApplication(msalConfigFoo);
   } else {
      return new Msal.UserAgentApplication(msalConfigBar);
   }
}

答案 1 :(得分:1)

问题我可以在第一个AAD中使用多个租户,但我想将其限制为仅两个租户。我在这里应该采取什么方法? 答案:如果您开发多租户AD应用程序,则可以在用户登录后使用其发行者验证“ id_token”。例如:

 var msalConfig = {
        auth: {
            clientId: 'b0114608-677e-4eca-ae22-60c32e1782d9', //This is your client ID
            authority: "https://login.microsoftonline.com/common" //This is your tenant info
        },
        cache: {
            cacheLocation: "localStorage",
            storeAuthStateInCookie: true
        }
    };
 var graphConfig = {
        graphMeEndpoint: "https://graph.microsoft.com/v1.0/me"
    };

    // create a request object for login or token request calls
    // In scenarios with incremental consent, the request object can be further customized
    var requestObj = {
        scopes: ["user.read"]
    };

    var myMSALObj = new Msal.UserAgentApplication(msalConfig);

    // Register Callbacks for redirect flow
    // myMSALObj.handleRedirectCallbacks(acquireTokenRedirectCallBack, acquireTokenErrorRedirectCallBack);
    myMSALObj.handleRedirectCallback(authRedirectCallBack);

    // difine issuers
    var issuers = new Array();
    issuers[0]="https://login.microsoftonline.com/{TenantId}/v2.0";
    issuers[1]="https://login.microsoftonline.com/{TenantId}/v2.0";

    function signIn() {
        myMSALObj.loginPopup(requestObj).then(idToken => {

            var issuer =String(idToken.idToken["issuer"])
            console.log(issuer) 
            if(issuers.indexOf(issuer) != -1){
                //login successfully then your users can do otherthing

            }else{

                // your users use a wrong account
            }

        }).catch(function (error) {
            //Please check the console for errors
            console.log(error);
        });
    }

有关更多详细信息,请参阅document

相关问题
最新问题