Wednesday, February 6, 2019

ADAL is the Active Directory Authentication Library, also known as adal.js.

There is also an MSAL (Microsoft Authentication Library) or msal.js which is similar. It is ADAL that we are going to use in an Angular project at work however to do the JWT tokens security stuff. A coworker made this whiteboard drawing here in explaining it to me yesterday. ADFS as shown is Active Directory Federation Services.

@hand may have been a mobile company, but they had an old means for logging in that they never revisited that wasn't terribly mobilesque. You submitted a form, posted to a different page (and not by API ...you left one page for another), and then you got redirected elsewhere upon a successfully login. This of course broke with the whole SPA concept. Downstream of that nastiness you would again have the SPA experience undeterred, so perhaps it was a sacrifice everyone could just live with. This is how ADAL works. When you click a login link in your Angular app a 302 (page temporarily moved) redirect takes you to a form to authenticate against Active Directory and then there is a redirect to the real meat of the SPA app. There is an Auth token for access to the domain and an Access token for what you may do. (Once the front door is open it does not mean that every door inside is open, right?) You can get both of these tokens at once if you are just going to use the JWT tokens to talk to one API, however if you are going to talk to numerous APIs and have differing permissions across them perhaps, well you will need a different Access token for each API. If there are two or more, you need to defer getting the Access tokens until after you have the Auth token. I am not sure why but I suspect that there is overhead in drumming up permissions in diversified systems that is somehow minimized if there is just one system in question. Perhaps you may go to any of the Active Directory services that are the keepers for any one API to also get an Auth token too. I'm not sure yet. Also, if two or more APIs require a second call then it is really good practice to make interacting with a single API require a second call too as this just makes for good, common architecture for later expansions. This sphere of things is the OAuth implicit grant flow. A second call means a second break with the SPA paradigm probably, huh? Well, there is a way around "changing pages" with the calls to get Access tokens by using an iFrame. Yee-haw! Let's hack!

No comments:

Post a Comment