更新时间:2023-02-15 23:29:12
我们的支持AAD B2C的ASP.NET OpenID Connect中间件被构建为依赖于浏览器的cookie身份验证.它不接受标题中的令牌或类似的用于保护网页的令牌.因此,我想说的是,如果您想以经典方式从Web应用程序中提供HTML,则需要使用Cookie来验证对Web应用程序的请求.
Our ASP.NET OpenID Connect middleware which supports AAD B2C is built to rely on cookie authentication from a browser. It doesn't accept tokens in a header or anything like that for securing web pages. So I'd say if you want to serve HTML from your web app in the classic way, you need to use cookies to authenticate requests to the web app.
您绝对可以得到&将令牌存储在浏览器中,并使用这些令牌访问您的Web API,即使您使用Cookie对Web应用程序进行身份验证也是如此.我推荐两种模式:
You can definitely get & store tokens within the browser and use those to access your web API, even if you use cookies to authenticate to the web app. There's two patterns I'd recommend:
id_token
and drop cookies in the browser for future requests. You can instruct the middleware to save the id_token
for later use by using the line of code written here. You can then somehow pass that id_token
down to your browser, cache it, and use it to make requests to the API.id_token
in the body, triggering the OpenID Connect middleware to process the request and issue a session cookie. If you want to know the format of that request, I'd recommend inspecting a regular server side OpenID Connect flow.