如何解决是否可以使用node.jspassport.authenticate在AWS api网关中对承载令牌进行身份验证?
我们有一个前端React应用,该应用具有MSAL登录名,该登录名使用aws api网关api端点进行后端操作。登录过程结束后,我想将承载令牌发送到api并进行身份验证。根据我在网上阅读的内容,您可以使用node.js和passport.authenticate()来完成此任务。问题是尝试在AWS API网关中进行此工作。因此,我想出了一种通过授权者lambda进行身份验证的方案。 1)使用aws-serverless-express在lambda中将Express作为api代理运行。2)使用Passport-azure-ad模块设置承载策略。 3)运行passport.authenticate()来验证令牌。 4)在有效的令牌返回lambda允许策略后5)api请求将继续
我刚刚将以下文件和所需的节点模块放入了node.js lambda中。因此,这实质上是客户端和api之间的中间件。如果令牌有效,将允许请求通过。
在测试过程中,应用承载策略时出现此错误:
{ “ name”:“ AzureAD:承载策略”, “主机名”:“ 169.254.43.173”, “ pid”:8 “级别”:30, “ msg”:“由于身份验证失败:找不到令牌”, “ time”:“ 2020-08-24T23:48:35.497Z”, “ v”:0 }
如果有一种更简单的方式来验证Bearer令牌,那就太好了。
Lambda index.js文件:
const awsServerlessExpress = require('aws-serverless-express')
const app = require('./app')
const server = awsServerlessExpress.createServer(app)
exports.handler = (event,context) => awsServerlessExpress.proxy(server,event,context)
config.js
'use strict';
const config = {
identityMetadata: "https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration",clientID: "xxxxxxxxxxxxxxxxxxxx",validateIssuer: true,loggingLevel: 'info',passReqToCallback: false,ignoreExpiration: true
};
module.exports = config
app.js文件
'use strict'
const express = require('express')
const awsServerlessExpressMiddleware = require('aws-serverless-express/middleware')
const passport = require("passport");
const config = require('./config');
const BearerStrategy = require('passport-azure-ad').BearerStrategy;
const bearerStrategy = new BearerStrategy(config,(token,done) => {
// Send user info using the second argument
done(null,{},token);
}
);
const app = express();
app.use(passport.initialize());
const router = express.Router()
passport.use(bearerStrategy);
router.use(awsServerlessExpressMiddleware.eventContext())
var generatePolicy = function(effect,resource) {
var authResponse = {};
authResponse.principalId = 'user';
if (effect && resource) {
var policyDocument = {};
policyDocument.Version = '2012-10-17'; // default version
policyDocument.Statement = [];
var statementOne = {};
statementOne.Action = 'execute-api:Invoke'; // default action
statementOne.Effect = effect;
statementOne.Resource = "*";
policyDocument.Statement[0] = statementOne;
authResponse.policyDocument = policyDocument;
}
return authResponse;
}
var generateAllow = function(resource) {
return generatePolicy('Allow',resource);
}
router.get('/',passport.authenticate('oauth-bearer',{session: false}),(req,res) => {
res.send(generateAllow(req.apiGateway.event.methodArn))
}
);
// The aws-serverless-express library creates a server and listens on a Unix
// Domain Socket for you,so you can remove the usual call to app.listen.
// app.listen(3000)
app.use('/',router)
// Export your express server so you can import it in the lambda function.
module.exports = app
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。