轻松接入Azure AD+Oauth2 实现 SSO

众所周知，现在SSO最常见的实现方案如下： 1、OAuth2 2、SAML 3、OpenId

本文的重点是目前SSO普及率高的是第一个方案Oauth2.下面将分几个部分来解释如何对接Azure的Oauth2

以下是集成时序图： 解释说明： 1、Native App 你可以简单地理解你想要访问的内容WEB 网站，由它接收azure 认证后跳转。 2、Web API 可理解为接入WEB负责接收网站对应的后端服务接口access_token 通过此令牌获取当前授权用户的信息

注册应用程序如下图所示：

2、在Client credentials中增加AD 应用相应的客户端密钥Oauth2下图所示：

3、在RedirecrURLs 如下图所示： 注意： 1.此处添加的回调地址必须为https的地址

如下图所示：

每个人都应该知道Oauth目前常用的接入方式如下： 1.客户端认证模式 二、授权码模式 3.密码认证模式 4、隐藏式 由于需要获取用户信息，需要调用后端接口进行业务系统的权限认证，综合考虑选择Oauth接入2的授权模式

Step1: Web 网站加载跳转如下地址 请求方式：GET 请求地址：https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?response_type=code& client_id={client_id}& redirect_uri=https://xxx-dev.xxx.net/home& scope=user.read

Step2:WEB网站 :https://xxx-dev.xxx.net/home加载，请求后端连接口：/api/auth/oauth2/token?code=xxxxx 接口内部调用如下： POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token?client_id={client_id}& client_secret={client_secret}& grant_type=authorization_code& code=0.AQwAbnb6gUmjZ0iL9Ks14lCgjzVmCEVErNxDj7XJCHhwDKYMAMs.AQABAAIAAAD–DLA3VO7QrddgJg7WevrbubOQoA0envxQCNoNHJAuOX4fk9xb2S5NQj_FZlJ6sBIb7020GdRj1flmztLFee8PAXDGXr8jTaDJhFHBH9o1B5TeESFB03F1s2yPKJv5johZzgIJpGg4nG6iB3tclVH3bjY5cWNhFWx9w_6ok4crj6GJMG7m3ujAewNkABJK2fNsunaI-J91tOIxsrJ5JE8Z_4KCMMF8YW1t-mdW_NAXhntsDqYq2Hm2sgVfPzPGpOK6aiC2GKxIYfOJuVaLzT5jDmSgD61DOiBlTVeE_EIfAWD7UwavrzbFtNXw9bQLbei-lyiMrgHmgDwmXLB7LURL3alaTkBrpnRZ-bfnR8YXWpb0b9LW7wZPu0BESM2l_IXyyg9lZZSYyzvd_bSKRsgbmfn-Js3T_8WduqDgT-47iApmB2qJuobhtPQ60989731vmBfYJmnGyCt573I7SpW-73idfJ_3NT_0dIqaXFpOjYTIrU4ynv7FvZXCpYHA2c2gXqbrBXD04tg9SudiB49CDFUPufG51L39GY9qjNuJUE9eqh4pH9SXAS1rKN4svsrj2RTUp5HN-uDt_ucZgzYMis9ry9NhOo8aOdrv7wn6Gf1cRZg0LY5w00hx2mP2IpfORy-1y6LEU2HsqgtIJh5aeWEbk6ZrfE-WSF0m8pY9KqQTZGwCwaA8mdV76BC7TIODRhqmxNJ2nh3ZZHzgrWjDatEbXv_aD1Z-q6v4HYLzw5Ur6Q8xTHai63IUdhUwJWT7BGfKAiBMu6zU_9i_f4jcjco2jGCJ0OG6cX41P-h6eHqM9DQp-kfhSbOk-fmfjMfiV4EtKQxNl1WHZFkVbLY_0fXcsPJmsTvX7i5MFgC_CAA& redirect_uri=https://xxx-dev.xxx.net/home

返回报文： { “access_token”: “eyJ0eXAiOiJKV1QiLCJub25jZSI6IlctNEQ4em9mN05Yemo4MkRpallwajZlYnktZGMyUDhlRFVVU1BaTkZVZEEiLCJhbGciOiJSUzI1NiIsIng1dCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyIsImtpZCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84MWZhNzY2ZS1hMzQ5LTQ4NjctOGJmNC1hYjM1ZTI1MGEwOGYvIiwiaWF0IjoxNjUwMzcyMjQ4LCJuYmYiOjE2NTAzNzIyNDgsImV4cCI6MTY1MDM3NjMxNCwiYWNjdCI6MCwiYWNyIjoiMSIsImFjcnMiOlsidXJuOnVzZXI6cmVnaXN0ZXJzZWN1cml0eWluZm8iXSwiYWlvIjoiQVVRQXUvOFRBQUFBUXVlemdyUjc5N2E5dStuUEYrTVI1MlpMdGFWN2FsSGpDRXdwTGJaU0FTK1dlWmFCZStYZ3JHZ2gzbEIrWXRrdTIzRU9iRDRmZWgyWjlaeVdXMkZzbUE9PSIsImFtciI6WyJwd2QiLCJyc2EiLCJtZmEiXSwiYXBwX2Rpc3BsYXluYW1lIjoiRGF0YXBvcnRhbCBEZXYiLCJhcHBpZCI6IjQ1MDg2NjM1LWFjNDQtNDNkYy04ZmI1LWM5MDg3ODcwMGNhNiIsImFwcGlkYWNyIjoiMSIsImRldmljZWlkIjoiNTM1Zjk2NGUtMTZiYS00MzYzLTgyNTgtZTY1MWEzNWRkODcyIiwiZmFtaWx5X25hbWUiOiJKaWEiLCJnaXZlbl9uYW1lIjoiUGVuZ2NoZW5nIiwiaWR0eXAiOiJ1c2VyIiwiaXBhZGRyIjoiMTAxLjIyOC4yMjUuNzciLCJuYW1lIjoiSmlhLCBQZW5nY2hlbmciLCJvaWQiOiJiZjY1NWY4Mi0zYjdmLTRiNzItYWI4ZS05MDQ1NWEzY2Q2ODEiLCJvbnByZW1fc2lkIjoiUy0xLTUtMjEtMTIyOTI1NzIwMC0yMDYwNDY5MDk4LTY0MDQwMjkyMy03MzUyOTIiLCJwbGF0ZiI6IjMiLCJwdWlkIjoiMTAwMzIwMDFEMkQ5MkQzQiIsInJoIjoiMC5BUXdBYm5iNmdVbWpaMGlMOUtzMTRsQ2dqd01BQUFBQUFBQUF3QUFBQUFBQUFBQU1BTXMuIiwic2NwIjoiVXNlci5SZWFkIHByb2ZpbGUgb3BlbmlkIGVtYWlsIiwic2lnbmluX3N0YXRlIjpbImR2Y19tbmdkIiwiZHZjX2RtamQiLCJrbXNpIl0sInN1YiI6IjlGNEhRanlmNnBjazRzRW80bHJGOERpSEZST0lJSEZWRmN3aVV0RVM0WTgiLCJ0ZW5hbnRfcmVnaW9uX3Njb3BlIjoiRVUiLCJ0aWQiOiI4MWZhNzY2ZS1hMzQ5LTQ4NjctOGJmNC1hYjM1ZTI1MGEwOGYiLCJ1bmlxdWVfbmFtZSI6IlBKSUFAdm9sdm9jYXJzLmNvbSIsInVwbiI6IlBKSUFAdm9sdm9jYXJzLmNvbSIsInV0aSI6IklSTTZFbk1pUUV1UUF6eFI4Q3NLQUEiLCJ2ZXIiOiIxLjAiLCJ3aWRzIjpbImI3OWZiZjRkLTNlZjktNDY4OS04MTQzLTc2YjE5NGU4NTUwOSJdLCJ4bXNfc3QiOnsic3ViIjoibG8tcnhqSzZLank1SzlMc1hnM3I3bHA3NFhjbWdSS21vaWJKSjBCYzAwQSJ9LCJ4bXNfdGNkdCI6MTQwMDUxNDc2NH0.T9vRn-L-qBvJrqUx5Edua-VTQaokQLtSvBKPphCFe9xCiLOTTKedzWnzeZ0B4YHgT3HaHlQPScQ0Y_ltqrUK3KSjmVj8jmJwprsTa5fhOyQQ2KIB6YOkYY7LxYP0qmZVHG_k8SacE5EGIX0LC6hYDXEVV8ezrazvkLsfRxMR5QiWw-jFw9aWPpVA-IQ8VksRXEKq4voas1odAGDU6VZD6pGywZ2bI5VsmCl3NQy0HX3PLtlO7v8aI0Ave-wHSzBXg6-6d0f1SQ_hdnbd94v6RyUptbolI4JgZuc8QAPgcP6KhDgCvfAJcHK0pJA4-1xou6czwNjFm4ALex1c-BNSw”, “expires_in”: 3765, “scope”: “User.Read profile openid email”, “token_type”: “Bearer” }

Step3:前端拿到Step2的令牌access_token后需要缓存到cookiee，然后再请求后端接口：/api/auth/oauth2/login/user获取用户信息 header:Authorization 接口内部调用如下： 请求方式：GET 请求地址：https://graph.microsoft.com/v1.0/me

返回报文： { “businessPhones”: [ “+8613795919672” ], “displayName”: “Zhang, Sanwu”, “givenName”: “Sanwu”, “id”: “bf655f82-3b7f-4b55-ab8e-93452a3cd621”, “mail”: “sanwu.zhang@xxx.com”, “officeLocation”: “VCHNSR”, “surname”: “Zhang”, “userPrincipalName”: “SZhang@xxxx.com” }

Step4: 根据Step3拿到的用户信息跳转到首页界面

Step5: WEB网站退出如下请求如下路由进行退出 请求方式：GET 请求地址： https://login.microsoftonline.com/common/oauth2/logout? post_logout_redirect_uri=https://xxx-dev.xxx.net/login