search

grumar / adal-angular5

Angular 5 ADAL Wrapper
MIT License
12 stars 19 forks source link

Debugger never hits inside acquireToken when using resource instead of clientId #13

Open nybroe opened 6 years ago

nybroe commented 6 years ago

As far as I can see in the code, the "sendRequest" method in adal5-http.service.js envokes acquireToken with a given resource. I have added endpoints in which I want to use CORS for several resources. The code below for the "sendRequest" method shows that if one of the added endpoints contains the URL it will try to retreive an access_token from the given resource for the endpoint.

Adal5HTTPService.prototype.sendRequest = function (method, url, options) {
        var _this = this;
        var resource = this.service.GetResourceForEndpoint(url);
        var authenticatedCall;
        if (resource) {
            if (this.service.userInfo.authenticated) {
                authenticatedCall = this.service.acquireToken(resource)
                    .flatMap(function (token) {
                    if (options.headers == null) {
                        options.headers = new http_1.HttpHeaders();
                    }
                    options.headers = options.headers.append('Authorization', 'Bearer ' + token);
                    return _this.http.request(method, url, options)
                        .catch(_this.handleError);
                });
            }
            else {
                authenticatedCall = Rx_1.Observable.throw(new Error('User Not Authenticated.'));
            }
        }
        else {
            authenticatedCall = this.http.request(method, url, options).catch(this.handleError);
        }
        return authenticatedCall;
    };

If I add the clientId as the resource I get the id_token from the cache and an attached debugger breaks within the flatMap of the acquireToken. It then set the Authorization header as expected and the code works fine but I am not authorized when using the id_token - I need to use the access_token. image

If I - on the other hand - sets the resource for my API application instead of the clientId the debugger never breaks within acquireToken which results in the Authorization header never to be set and therefore my call to the API fails. I can, in the Network tab in Chrome, see that the query for the access_token has gone through and responded with a callback. image

This is my config:

const config = {
  tenant: 'cloudrunners.dk',
  clientId: '18f5edc3-1111-1111-1111-a9e1b239e2cd',
  redirectUri: window.location.origin + '/',
  resource: 'https://cloudrunners.dk/151f85ba-1111-1111-1111-1111ccca6f9a',
  endpoints: {
    'https://local.stuff.com/api/': 'https://cloudrunners.dk/151f85ba-1111-1111-1111-1111ccca6f9a'
  }
};

What I have done up until now: 1) Set "oauth2AllowImplicitFlow": true in the manifest 2) Added API and Client applications to permissions

No matter what I do - and I have seen this in adal-angular and adal-angular4 as well - I can't get it to break inside acquireToken when using the resource and not the clientId to get the access_token.

grumar commented 6 years ago

Probably fixed by #34

grumar commented 6 years ago

published as beta npm install adal-angular5@2.1.1