Azure AD B2C 的 mozilla-django-oidc 问题

Question

I am trying to configure the "mozilla-django-oidc" package in Django. To authenticate I use Azure Active Directory B2C policy, so this is my federation server.

When I click in the login button I got this URL which looks wrong to me, I will split it, just for convenience:

https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_TENANTID_signin?response_type=code&scope=openid+email&client_id=XXXXXXXXXXXXXXX&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Foidc%2Fcallback%2F&state=pt8aYXicnYRSQkkB8kwHSv4hQwt9Xzre&nonce=UfLfk6QovA2inpfo9W7zS2MZHLpO1tkJ

and the URL I need has this format: https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_TENANTID_SIGNIN&client_id=XXXXXXXXXXXXX&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Foidc%2Fcallback%2F&scope=openid&response_type=id_token&prompt=login

In the home page I have this code:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Home page</title>
</head>
<body>
  <h3>
    Welcome to home page
  </h3>

 {% if user.is_authenticated %}
  <p>Current user: {{ user.email }}</p>
  <form action="{% url 'oidc_logout' %}" method="post">
    <input type="submit" value="logout">
  </form>
{% else %}
  <a href="{% url 'oidc_authentication_init' %}">Login</a>
{% endif %}

</body>

my code in the settings.py

OIDC_RP_SIGN_ALGO = "RS256"
OIDC_RP_CLIENT_ID = "xxxxxxxxxxxxxx" #fake client id just for this post
# OIDC_RP_CLIENT_SECRET = os.environ['OIDC_RP_CLIENT_SECRET']
OIDC_OP_AUTHORIZATION_ENDPOINT = 
"https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/authorize? 
p=b2c_1_TENANTID_signin"
OIDC_OP_TOKEN_ENDPOINT = "https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/token? 
p=b2c_1_TENANTID_signin"
# OIDC_OP_USER_ENDPOINT = "<URL of the OIDC OP userinfo endpoint>"
LOGIN_REDIRECT_URL = "http://localhost:8000/oidc/callback/"
LOGOUT_REDIRECT_URL = "http://localhost:8000/welcome/

Note: I don't know what to put in this variable "OIDC_RP_CLIENT_SECRET" and also "OIDC_OP_USER_ENDPOINT"

Any help please to get the right URL in this configuration? Thanks

Answer 1

I had to update the views.py file from the library in order to get the URL I needed. The documentation was very poor, but at least it is working.

Answer 2

In order to get the URL you want, you need to remove the authorization parameter in your endpoints:

• OIDC_OP_AUTHORIZATION_ENDPOINT
• OIDC_OP_TOKEN_ENDPOINT

This would yield new endpoints for you as follows.

OIDC_OP_AUTHORIZATION_ENDPOINT = "https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/authorize"
OIDC_OP_TOKEN_ENDPOINT = "https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/token"

Now you are missing a part of your URL so you can add the "policy" authorization parameter back in with the following bit of code:

OIDC_AUTH_REQUEST_EXTRA_PARAMS = {'p': 'b2c_1_TENANTID_signin'}
OIDC_RP_SCOPES = ['openid']

Could you use OIDC_USE_NONCE = False instead of setting nonce to be defaultNonce ?

EDIT: I should have mentioned this doesn't resolve your issue around response_type and nonce .