我们有一堆单页应用程序并部署它们,例如 appA.xyz-corp.com 和 appB.xyz-corp.com。我们如何配置 Msal javascript,以便用户不必登录每个应用程序。我们已经尝试过这里提到的方法 https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/Sso 。但是, session 存储存储每个域“appA.xyz-corp.com”的信息,而不是使用子域“xyz.com”。对于使用 msal.js 进行多个单页应用程序以及用户跨应用程序无缝登录的最佳实践,我们将不胜感激。
最佳答案
wiki you mentioned还有一些有关具有多个域的场景的信息。本质上,您需要捕获首选用户名并将其与登录请求一起发送。要同时捕获所有应用程序的用户名,我建议将其存储在所有应用程序都知道的域范围 cookie 中。
// Store the username after login
document.cookie = "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d4b9a7b5b88ba1a7b1a6bab5b9b1e984b5a1b894acadaef9b7bba6a4fab7bbb9" rel="noreferrer noopener nofollow">[email protected]</a>;domain=.xyz-corp.com;path=/"
// use the username
var username = getCookieByName("msal_username"); // find some code to do that
userAgentApplication.loginRedirect(scopes, "&login_hint=" + username);
这样做的缺点是您需要在所有应用程序中实现它。
Applications on different domain
When applications are hosted on different domains, the tokens cached on domain A cannot be accessed by MSAL.js in domain B.
Automatically select account on Azure AD
...
Using Login Hint
If you do not have SID claim configured or need to bypass the account selection prompt on interactive auth calls, you can do so by providing a login_hint and optionally a domain_hint as extraQueryParameters in the MSAL.js interactive methods (loginPopup, loginRedirect, acquireTokenPopup and acquireTokenRedirect). For example:
userAgentApplication.loginRedirect(scopes, "&login_hint=<preferred_username>&domain_hint=organizations");You can get the values for login_hint and domain_hint by reading the claims returned in the ID token for the user.
login_hint should be set to the preferred_username claim in the ID token.
关于azure - 使用 Azure AD 和 MSAL 的 SPA 应用程序之间的 SSO,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54907948/