分享程序员开发的那些事...
更新时间:2023-01-08 21:28:55
Strapi 原生支持 Microsoft SSO.
您必须在三个方面采取行动:Azure 门户、Strapi 管理员、前端应用程序
1.1 创建应用,前往
1.3.1 在支持的帐户类型"中设置多租户选项(在strapi中,默认不支持单租户,如果需要设置单租户必须创建自定义提供程序,但多租户没问题)
1.3.2 在重定向 URI 字段中,输入Web"和
/connect/microsoft/callback
(即 http://localhost:1337/connect/microsoft/callback 或你的strapi生产网址 https://mystrapiexample.com/connect/microsoft/callback)1.3.3注册进入下一页
1.4 转到您注册的应用程序的身份验证"页面(左侧菜单)以启用隐式授权流程(访问令牌)
1.5 进入你注册App的Certificate and secrets"页面(左侧菜单)创建一个New client secret"并注解值,配置provider时会用到在strapi上.
1.6还要注意Overview页面中的Application(client)ID",在strapi上配置provider时会用到
2.1 转到角色和权限"> Providers > Microsoft
2.2 设置启用ON"以及您在前面步骤(1.5 和 1.6)中获得的 clientId 和密码
2.3 指向您的前端应用程序的重定向 URI,它获取并重定向 microsoft access_code(此步骤稍后会更清楚)
准备好了吗?至此流程开始,开始跳转完成认证,并获取一个strapi jwt作为认证用户发出请求.
3.1在您的前端应用程序中创建一个链接到strapi microsoft登录
/connect/microsoft
(即 http://localhost:1337/connect/microsoft 或您的strapi生产网址 https://mystrapiexample.com/connect/microsoft)3.2 Strapi 将用户重定向到 microsoft 身份验证页面,成功后用户将被重定向到带有 microsoft access_code 的strapi(此步骤对您来说是透明的)
3.3 Strapi 将 access_code 重定向到 2.3 中设置的前端 url,它必须重定向(使用 access_code)到 Strapi 页面授权
/auth/microsoft/callback
(即 http://localhost:1337/auth/microsoft/callback 或你的strapi生产网址 https://mystrapiexample.com/auth/microsoft/callback ).....3.4 此时,strapi 创建了自己的 JWT 令牌,该令牌返回给前端应用程序,前端应用程序可以将其存储(在本地存储、会话存储中......)以向 Strapi 端点发出请求.
参考文献
I am wondering if anyone has done this before,
I have an azure Active Directory, and I host the front end of our app in IIS. The back is controlled by pm2. How can I set up SSO with Azure AD and our back end strapi?
Thank you for any help
Strapi supports natively Microsoft SSO.
You must act on three fronts: Azure Portal, Strapi Admin, Frontend App
1.1 Create application, go to the App registrations site and register an app
1.2 Click New Registration
1.3 Fill the form as show in below ScreenShot
1.3.1 In "Supported account types" set Multitenant option (in strapi, single tenant is not supported by default, if you need to set single tenant you must create a custom provider, but multitenant is ok)
1.3.2 In the Redirect URI field, put "Web" and
/connect/microsoft/callback
(i.e. http://localhost:1337/connect/microsoft/callback or your strapi
production url https://mystrapiexample.com/connect/microsoft/callback)
1.3.3 Register and go to next page
1.4 Go to the "Authentication" page of your registered App (left menu) to enable the implicit grant flow (Access tokens)
1.5 Go to the "Certificate and secrets" page of your registered App (left menu) to create a "New client secret" and annotate the value, You will use it when you configure the provider on strapi.
1.6 Also note the "Application (client) ID" in the Overview page, You will use it when you configure the provider on strapi
2.1 Go to "Roles and Permission" > Providers > Microsoft
2.2 Set Enable "ON" and your clientId and secret that you get in previous steps (1.5 and 1.6)
2.3 The redirect URI to your front-end app which gets and redirects the microsoft access_code (this step will be clearer later)
Ready? At this point the flow begins, starts to jump to complete the authentication and obtain a strapi jwt to make the requests as an authenticated user.
3.1 Create a link in your frontend application to strapi microsoft sign-in
/connect/microsoft
(i.e. http://localhost:1337/connect/microsoft or your strapi
production url https://mystrapiexample.com/connect/microsoft)
3.2 Strapi redirects the user to microsoft authentication page, on success the user will be redirected on strapi with a microsoft access_code (this step is transparent for you)
3.3 Strapi redirects the access_code to the frontend url set in 2.3, which must redirect (with access_code) to strapi page auth
/auth/microsoft/callback
(i.e http://localhost:1337/auth/microsoft/callback or your strapi
production url https://mystrapiexample.com/auth/microsoft/callback ).....
3.4 At this point strapi creates its own JWT token which returns to the frontend application, which can store it (in localstorage, session storage...) to make requests to the strapi endpoints.
References