Skip to main content

Microsoft 提供商 SSO 配置

¥Microsoft provider SSO configuration

本页面说明如何为 单点登录 (SSO) 功能 设置 Microsoft 提供程序。

¥The present page explains how to setup the Microsoft provider for the Single Sign-On (SSO) feature.

Prerequisites

你已阅读 如何配置 SSO 指南

¥You have read the How to configure SSO guide.

安装

¥Installation

安装 passport-azure-ad-oauth2:

¥Install passport-azure-ad-oauth2:

yarn add passport-azure-ad-oauth2 jsonwebtoken

配置示例

¥Configuration example

Microsoft SSO 提供程序在 config/admin 文件auth.providers 数组中配置:

¥The Microsoft SSO provider is configured in the auth.providers array of the config/admin file:

/config/admin.js

const AzureAdOAuth2Strategy = require("passport-azure-ad-oauth2");


const jwt = require("jsonwebtoken");



module.exports = ({ env }) => ({
  auth: {
    // ...
    providers: [
      {
        uid: "azure_ad_oauth2",
        displayName: "Microsoft",
        icon: "https://upload.wikimedia.org/wikipedia/commons/thumb/9/96/Microsoft_logo_%282012%29.svg/320px-Microsoft_logo_%282012%29.svg.png",
        createStrategy: (strapi) =>
          new AzureAdOAuth2Strategy(
            {
              clientID: env("MICROSOFT_CLIENT_ID", ""),
              clientSecret: env("MICROSOFT_CLIENT_SECRET", ""),
              scope: ["user:email"],
              tenant: env("MICROSOFT_TENANT_ID", ""),
              callbackURL:
                strapi.admin.services.passport.getStrategyCallbackURL(
                  "azure_ad_oauth2"
                ),
            },
            (accessToken, refreshToken, params, profile, done) => {
              let waadProfile = jwt.decode(params.id_token, "", true);
              done(null, {
                email: waadProfile.email,
                username: waadProfile.email,
                firstname: waadProfile.given_name, // optional if email and username exist
                lastname: waadProfile.family_name, // optional if email and username exist
              });
            }
          ),
      },
    ],
  },
});