简体繁体 English

登录的MSAL和AD B2C问题

[英]MSAL and AD B2C issues with login

原文 2018-04-04 13:32:29 2 1 angular/ azure-ad-b2c/ msal

I've invested some considerable time into trying to understand and properly use MSAL but I'm still struggling. 我花了很多时间尝试理解和正确使用MSAL，但我仍在努力。 I have numerous issues and I'm not really sure what to do/what I'm doing wrong. 我遇到了很多问题，我不确定该怎么做/做错了什么。

Here's what I do have: 这是我所拥有的：

1) The Active-Directory-B2C-Javascript-Angular2.4-spa application downloaded from github. 1）从github下载的Active-Directory-B2C-Javascript-Angular2.4-spa应用程序。

2) I reconfigured it to use my B2C tenant I created 2）我将其重新配置为使用我创建的B2C租户

3) I can login via Facebook or create my own account (sometimes) 3）我可以通过Facebook登录或创建自己的帐户（有时）

From here I'm struggling with two problems now: acquireTokenSilent - always fails, and ends up calling acquireTokenPopup (which appears to popup a window). 从这里开始，我现在正面临两个问题：AcquireTokenSilent-始终失败，并最终调用了acquireTokenPopup（它似乎会弹出一个窗口）。 So I'm not sure why acquireTokenSilent is failing, but when it calls acquireTokenPopup the popup gets blocked. 所以我不确定为什么acquireTokenSilent会失败，但是当它调用acquireTokenPopup时，弹出窗口会被阻止。

1) I'm thinking the acquireTokenSilent failure may be due to my "scope" i'm requesting. 1）我认为acquireTokenSilent失败可能是由于我请求的“作用域”。 I've looked through the Azure documentation and don't understand how to create a scope so I'm kind of stuck there. 我已经浏览了Azure文档，但不了解如何创建范围，因此有点困扰。 Is there a default I can use? 我可以使用默认值吗？ I tried an empty string and it failed. 我尝试了一个空字符串，但失败了。 I also tried https://myapp.onmicrosoft.com/demoapi/demo.read which didn't make sense, but I tried it anyway (didn't make sense because I couldn't see it anywhere). 我还尝试了https://myapp.onmicrosoft.com/demoapi/demo.read ，这没有任何意义，但我还是尝试了一下（没有意义，因为我在任何地方都看不到）。

2) I thought maybe removing my popup blocker which is defaulted in every browser now could maybe cause acquireTokenPopup to work. 2）我以为可能删除我现在在每个浏览器中默认的弹出窗口阻止程序，可能会导致AcquisitionTokenPopup工作。 INSTEAD: It still fails, BUT when I call loginPopup it opens the login window twice. INSTEAD：它仍然失败，但是当我调用loginPopup时，它将两次打开登录窗口。 Yes Twice. 是的两次。 I debugged the code to ensure I wasn't calling loginPopup twice. 我调试了代码以确保没有两次调用loginPopup。 I wasn't... 我不是

Can somebody explain why in an age of popup blockers a library would even attempt this code? 有人可以解释为什么在弹出窗口阻止程序时代图书馆甚至会尝试使用此代码吗？ Having somebody enable popups just to use your app seems incredibly archaic... Is there a way around this with this library? 让某人启用弹出窗口只是为了使用您的应用程序似乎太过古老了……这个库有办法解决吗？

Anyone have any advice? 有人有什么建议吗？

1 个解决方案

As per the readme on the github repo, you can clone and run the application as is to demonstrate sign in with a sample web api that they provide ( https://aadb2cplayground.azurewebsites.net ). 按照github存储库上的自述文件，您可以按原样克隆和运行该应用程序，以演示使用它们提供的示例Web API登录的情况（ https://aadb2cplayground.azurewebsites.net ）。 This web api has been secured by using an Azure AD tenant called "fabrikamb2c.onmicrosoft.com". 此Web api已通过使用名为“ fabrikamb2c.onmicrosoft.com”的Azure AD租户进行保护。 You can see this by visiting the root url of that site: 您可以通过访问该站点的根URL来查看此内容：

In order for the sample to call web api actions on this site, you need to send it an OpenIDConnect Access Token (JWT) in the header of your request issued by an audience it trusts. 为了使示例能够在此站点上调用Web api操作，您需要在其信任的受众发出的请求标头中向其发送一个OpenIDConnect访问令牌（JWT）。 The audience is denoted by the AppID that a new B2C Application receives when created using the B2C Azure blade interface. 受众由使用B2C Azure刀片界面创建的新B2C应用程序接收的AppID表示。 In addition, the access token needs to specify the policy used you used when authenticating against the tenant. 此外，访问令牌需要指定在对租户进行身份验证时使用的策略。

If you click "App Settings" on the playground site and then "Use the AAD B2C Playground example directory" you can see the same values that are preset in your github sample repo: 如果单击操场上站点上的“应用程序设置”，然后单击“使用AAD B2C游乐场示例目录”，则可以看到在github示例存储库中预设的相同值：

In your scenario, you are trying to use the SPA repo to call the sample webservices. 在您的方案中，您尝试使用SPA存储库来调用示例Web服务。 Obviously the Playground site knows nothing about your repo so you need to supply the settings so that it knows how to validate your tokens against your tenant. 显然，Playground网站对您的回购协议一无所知，因此您需要提供设置，以便它知道如何针对租户验证令牌。 I haven't tried it but I would guess that if you fill the App Settings inputs with the appropriate values with your own tenant the sample will work as the Playground sample now knows how to communicate with your tenant. 我还没有尝试过，但是我想如果您用自己的租户用适当的值填充“应用设置”输入，则该示例将起作用，因为Playground示例现在知道如何与您的租户进行通信。

Obviously I wouldn't use any production tenant settings here! 显然，我不会在这里使用任何生产租户设置！

When you want your SPA app to access your own WebAPI, you would need to secure both sides with your own tenant but each one can use it's own B2C application. 当您希望SPA应用程序访问自己的WebAPI时，您需要使用自己的租户保护双方，但是每个人都可以使用自己的B2C应用程序。 If you authenticate your SPA application using a token which contains the AppID and scope of the WebAPI B2C application you will be granted access as the resulting token will use the audience value of the WebAPI. 如果您使用包含WebAPI B2C应用程序的AppID和范围的令牌对SPA应用程序进行身份验证，则将授予您访问权限，因为生成的令牌将使用WebAPI的受众群体值。

1) I'm thinking the acquireTokenSilent failure may be due to my "scope" i'm requesting. 1）我认为acquireTokenSilent失败可能是由于我请求的“作用域”。 I've looked through the Azure documentation and don't understand how to create a scope so I'm kind of stuck there. 我已经浏览了Azure文档，但不了解如何创建范围，因此有点困扰。 Is there a default I can use? 我可以使用默认值吗？ I tried an empty string and it failed. 我尝试了一个空字符串，但失败了。 I also tried https://myapp.onmicrosoft.com/demoapi/demo.read which didn't make sense, but I tried it anyway (didn't make sense because I couldn't see it anywhere). 我还尝试了https://myapp.onmicrosoft.com/demoapi/demo.read ，这没有任何意义，但我还是尝试了一下（没有意义，因为我在任何地方都看不到）。

For the scope, you need that to be " https://fabrikamb2c.onmicrosoft.com/demoapi/demo.read ". 对于范围，您需要将其设置为“ https://fabrikamb2c.onmicrosoft.com/demoapi/demo.read ”。 On the FabrikamB2C tenant there will be a B2C application with the AppID of " https://fabrikamb2c.onmicrosoft.com/demoapi " and a scope will be defined called "demo.read" which the Playground site looks for in your incoming token to ensure you have access to endpoints that require that scope defined in your token. 在FabrikamB2C租户上，将有一个AppID为“ https://fabrikamb2c.onmicrosoft.com/demoapi ”的B2C应用程序，并且将定义一个名为“ demo.read”的范围，Playground站点将在您的传入令牌中查找该范围确保您有权访问需要在令牌中定义该范围的端点。

2) I thought maybe removing my popup blocker which is defaulted in every browser now could maybe cause acquireTokenPopup to work. 2）我以为可能删除我现在在每个浏览器中默认的弹出窗口阻止程序，可能会导致AcquisitionTokenPopup工作。 INSTEAD: It still fails, BUT when I call loginPopup it opens the login window twice. INSTEAD：它仍然失败，但是当我调用loginPopup时，它将两次打开登录窗口。 Yes Twice. 是的两次。 I debugged the code to ensure I wasn't calling loginPopup twice. 我调试了代码以确保没有两次调用loginPopup。 I wasn't... 我不是

Can somebody explain why in an age of popup blockers a library would even attempt this code? 有人可以解释为什么在弹出窗口阻止程序时代图书馆甚至会尝试使用此代码吗？ Having somebody enable popups just to use your app seems incredibly archaic... Is there a way around this with this library? 让某人启用弹出窗口只是为了使用您的应用程序似乎太过古老了……这个库有办法解决吗？

Popups tend to be implemented when authenticating to avoid destroying the flow of the user's journey through the application. 验证时倾向于实现弹出窗口，以避免破坏用户通过应用程序的流程。 If the token expires and there is no valid refresh token to use, your application cannot gain access to another token therefore it has to ask the user to authenticate again. 如果令牌到期并且没有有效的刷新令牌可使用，则您的应用程序将无法访问另一个令牌，因此它必须要求用户再次进行身份验证。 If the user is in the middle of an operation (eg saving data) it might be possible to recover outside of the action in a separate window rather than forcing a redirect on the user. 如果用户处于操作中间（例如，保存数据），则有可能在单独的窗口中在操作之外进行恢复，而不是强制用户重定向。 However, I am not that familiar with the SPA implementation so other more knowledgeable people may have more valid input! 但是，我不太熟悉SPA的实现，因此其他知识渊博的人可能会有更多有效的输入！