通过Azure AD B2C自定义策略尝试登录时,Discord api返回未经授权的401
[英]Discord api returns 401 unauthorized when trying signin via Azure AD B2C custom policy
问题描述
I'm building up an app that uses Discord OAuth2 to various purposes including user identity, but have encountered an issue that Discord api returns 401 (unauthorized) error when a user tries to signin. 
我正在构建一个使用Discord OAuth2达到各种目的(包括用户身份)的应用程序,但是遇到一个问题,当用户尝试登录时Discord api返回401(未经授权)错误。
I have a B2C tenant that have the custom policy that contain the ClaimsProbider written as: 我有一个B2C租户,该租户的自定义策略包含的ClaimsProbider编写为:
<ClaimsProvider>
<!-- The following Domain element allows this profile to be used if the request comes with domain_hint
query string parameter, e.g. domain_hint=Discord.com -->
<Domain>Discord.com</Domain>
<DisplayName>Discord</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Discord-OAUTH">
<!-- The text in the following DisplayName element is shown to the user on the claims provider
selection screen. -->
<DisplayName>Discord</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="ProviderName">Discord</Item>
<Item Key="authorization_endpoint">https://discordapp.com/api/oauth2/authorize</Item>
<Item Key="AccessTokenEndpoint">https://discordapp.com/api/oauth2/token</Item>
<Item Key="ClaimsEndpoint">https://discordapp.com/api/users/@me</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<Item Key="client_id">[my key]</Item>
<Item Key="scope">identify email connections guilds.join rpc rpc.api rpc.notifications.read messages.read</Item>
<Item Key="AccessTokenResponseFormat">json</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_DiscordSecret" />
</CryptographicKeys>
<InputClaims />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" DefaultValue="id" />
<OutputClaim ClaimTypeReferenceId="givenName" DefaultValue="first_name" />
<OutputClaim ClaimTypeReferenceId="surname" DefaultValue="last_name" />
<OutputClaim ClaimTypeReferenceId="displayName" DefaultValue="name" />
<OutputClaim ClaimTypeReferenceId="email" DefaultValue="email"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="Discord.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
The error I collected via Application Insights is: 我通过Application Insights收集的错误是:
{
""Kind"": ""HandlerResult"",
""Content"": {
""Result"": true,
""RecorderRecord"": {
""Values"": [
{
""Key"": ""SendErrorTechnicalProfile"",
""Value"": ""OAuth2ProtocolProvider""
},
{
""Key"": ""Exception"",
""Value"": {
""Kind"": ""Handled"",
""HResult"": ""80131500"",
""Message"": ""An exception was caught when making a request to URL \""https://discordapp.com/api/users/@me\"" using method \""Get\"". The exception status code was \""ProtocolError\"" with the following message: {scrubbed}."",
""Data"": {},
""Exception"": {
""Kind"": ""Handled"",
""HResult"": ""80131509"",
""Message"": ""The remote server returned an error: (401) Unauthorized."",
""Data"": {}
}
}
}
]
}
}
Here 'sa solution to avoid getting 401 when requesting a claim to the api, but I'm not sure how it works in this situation with a custom policy on B2C tenant. 这里是避免在请求api索赔时获取401的解决方案,但是我不确定使用B2C租户的自定义策略在这种情况下如何工作。
Could anyone please provide a suggestion to this issue? 有人可以对此问题提供建议吗?
1 个解决方案
解决方案1
2 已采纳 2018-08-12 05:58:43
The Discord API requires the access token to be sent in the Authorization HTTP header. Discord API要求在Authorization HTTP标头中发送访问令牌。
By default, Azure AD B2C sends the access token in the query string, so you must add the BearerTokenTransmissionMethod metadata item to the technical profile: 默认情况下,Azure AD B2C在查询字符串中发送访问令牌,因此必须将BearerTokenTransmissionMethod元数据项添加到技术配置文件中:
<TechnicalProfile Id="Discord-OAUTH">
<Metadata>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
</Metadata>
</TechnicalProfile>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.