[英]Azure AD B2C returns AADSTS70000 error on token request
I have a web API attempting to get set of access and refresh tokens for a B2C user. 我有一个Web API,试图为B2C用户获取一组访问和刷新令牌。 User sign-in is done through a configured "Social identity provider".
用户登录是通过配置的“社交身份提供商”完成的。
The API receives authorization code. API接收授权码。 When exchanging code for the tokens, Azure AD B2C tenant's endpoint endpoint returns
invalid_grant
error. 交换令牌的代码时,Azure AD B2C租户的终结点终结
invalid_grant
返回invalid_grant
错误。
I have looked at the other answers I've found on the site. 我查看了在网站上找到的其他答案。 The issue still remains.
问题仍然存在。 Pointers are much appreciated.
指针非常感谢。
Details as follows. 细节如下。
Sign-up and sign-in profiles issue claims for 注册和登录个人资料对以下内容提出索赔
Error from token endpoint: 来自令牌端点的错误:
{
"error": "invalid_grant",
"error_description": "AADSTS70000: Transmission data parser failure: Authorization Code is malformed or invalid. [...]",
"error_codes": [
70000
],
[...]
}
Authorization request looks as follows: 授权请求如下所示:
AUTHORIZATION_ENDPOINT = 'https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize'
authorization_url = f'{AUTHORIZATION_ENDPOINT}' \
f'?client_id={CLIENT_ID}' \
f'&response_type=code' \
f'&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcode' \
f'&scope=openid offline_access' \
f'&nonce=hellobob' \
f'&p=B2C_1_<profile>'
Upon user authorization, authorization code is POST
ed by API to token endpoint. 在用户授权后,API将授权代码
POST
到令牌端点。 Payload is represented as a Python dictionary. 有效负载表示为Python字典。
TOKEN_ENDPOINT = 'https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token'
payload = {
'p': 'B2C_1_<profile>',
'client_id': CLIENT_ID,
'client_secret': CLIENT_SECRET,
'code': code,
'grant_type': 'authorization_code',
'redirect_uri': 'http://localhost:8000/code',
'scope': 'openid offline_access'
}
response = requests.post(TOKEN_ENDPOINT, data=payload)
This error generally means the auth code you've gotten is not meant for tokens on the specified endpoint. 此错误通常表示您获得的身份验证代码不适用于指定端点上的令牌。 This can happen from misconfiguring the auth endpoints, registering the app in the wrong spot, or a malformed request.
这可能是由于未正确配置身份验证端点,在错误的位置注册应用程序或请求格式错误而发生的。 One thing to callout is most B2C errors are in the form of
aadb2cxxxxx
rather than the traditional Azure AD error format of aadstsxxxxx
. 要
aadb2cxxxxx
一件事是,大多数B2C错误都是aadb2cxxxxx
的形式,而不是传统的Azure AD错误格式aadstsxxxxx
。
First thing to check with this error is your auth endpoints. 要检查此错误的第一件事是您的身份验证端点。 From the snippets above, both look good.
从上面的代码片段来看,两者看起来都不错。
Next thing is to make sure you're using the correct library to obtain the authorization code. 下一步是确保您使用正确的库来获取授权代码。 You haven't shown the code on your client, but if it's using the ADAL library or v1.0 endpoints, your auth code will not be redeemable on the /v2.0/ endpoints.
您尚未在客户端上显示代码,但如果它使用的是ADAL库或v1.0端点,则您的身份验证代码将无法在/v2.0/端点上兑换。
I've also seen this happen when an app is registered in the incorrect blade within the Azure Portal. 当应用程序在Azure门户中的错误刀片中注册时,我也看到过这种情况。 Make sure you registered an Azure AD B2C application rather than a plain Azure AD app.
确保您注册了Azure AD B2C应用程序,而不是普通的Azure AD应用程序。
If you've done this, I recommend trying 2 things: 如果您这样做了,我建议您尝试以下两种方法:
Use a test B2C application from one of the code samples rather than your app registration and see if it works. 使用其中一个代码示例中的测试B2C应用程序而不是您的应用程序注册来查看它是否有效。 If it does, you know you have a registration issue.
如果是这样,则说明您有注册问题。 This registration guide may help diagnose.
该注册指南可能有助于诊断。
Do the request by hand using your app registration (rather than in code). 使用您的应用程序注册(而不是代码)手动完成请求。 This will help you understand if it's a code issue.
这将帮助您了解是否是代码问题。 Construct the request and use Curl or Postman, then exchange the code.
构造请求并使用Curl或Postman,然后交换代码。 The easy alternative is to plug in your configs into a sample.
一种简单的替代方法是将您的配置插入示例。
The URL to the token endpoint was incorrect. 令牌端点的URL不正确。 Authorization and token endpoint URLs needs to contain the B2C profile as part of their query parameters, eg
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token?p=<B2C_profile>
. 授权和令牌端点URL需要包含B2C配置文件作为其查询参数的一部分,例如
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token?p=<B2C_profile>
。
Alternatively, you can use the following URLs to authorization and token endpoints respectively: 另外,您可以使用以下URL分别授权和令牌端点:
https://login.microsoftonline.com/te/<tenant>.onmicrosoft.com/<B2C_profile>/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/<tenant>.onmicrosoft.com/<B2C_profile>/oauth2/v2.0/token
Value of B2C_profile
is in lower case. B2C_profile
值小写。
OpenID discovery document is available at https://login.microsoftonline.com/te/<tenant>.onmicrosoft.com/<B2C_profile>/v2.0/.well-known/openid-configuration
. 可从
https://login.microsoftonline.com/te/<tenant>.onmicrosoft.com/<B2C_profile>/v2.0/.well-known/openid-configuration
获得OpenID发现文档。
Note that the OpenID provider configuration document lists the underlying Azure AD as the token issuer, making it difficult to determine whether a token originates from Azure AD or B2C. 请注意,OpenID提供程序配置文档将基础Azure AD作为令牌颁发者列出,这使得很难确定令牌是源自Azure AD还是B2C。 However, B2C tokens seem to include a
tfp
-claim referring to the policy name being used. 但是,B2C令牌似乎包含一个
tfp
-claim, 引用所使用的策略名称 。
In addition, B2C uses different signing keys than the claimed token issuer. 另外,B2C使用与声明的令牌发行者不同的签名密钥。 Make sure you use the B2C keys when validating tokens!
验证令牌时,请确保使用B2C密钥!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.