简体繁体 English

oAuth with Microsoft Azure AD with azure GUEST 帐户 vs 员工帐户

[英]oAuth with Microsoft Azure AD with azure GUEST accounts vs employee accounts

原文 2020-10-21 17:07:47 8 1 oauth-2.0/ azure-active-directory/ identityserver4/ adfs

I am setting up OIDC within an ASP.NET Core 3.1 web mvc application.我正在 ASP.NET Core 3.1 web mvc 应用程序中设置 OIDC。 I have setup "OpenIdConnect" for our employees specifying the authority via我已经为我们的员工设置了“OpenIdConnect”，通过

"Authority": "https://login.microsoftonline.com/{0}/v2.0" “权威”：“https://login.microsoftonline.com/{0}/v2.0”

Where {0} is the companyname .onmicrosoft.com (or companyname is the tenantId) -> this works fine/well.其中 {0} 是公司名称.onmicrosoft.com（或公司名称是租户 ID）-> 这工作正常/很好。

We have Azure GUEST accounts within our AD/ADFS and this above authority is not working for these accounts.我们的 AD/ADFS 中有 Azure GUEST 帐户，上述权限不适用于这些帐户。 ie my bob@gmail account is setup as a guest account in Azure AD.即我的 bob@gmail 帐户设置为 Azure AD 中的来宾帐户。 I have read that it should against companyname.onmicrosoft.com however the only way I could log in with guest access was to use authority我已经读过它应该针对 companyname.onmicrosoft.com 但是我可以使用来宾访问权限登录的唯一方法是使用权限

"Authority": "https://login.microsoftonline.com/ common /v2.0" “权威”： “https://login.microsoftonline.com/共同/v2.0”

Using common within the authority url I could log into my application.在授权 url 中使用common我可以登录到我的应用程序。 This also means I had to know what type of auth employee or guest account before user could log in (ie different buttons making the user choose between type of auth to perform)...this is less than ideal.这也意味着我必须在用户登录之前知道什么类型的 auth 员工或访客帐户（即不同的按钮让用户在要执行的身份验证类型之间进行选择）......这不太理想。

I would like to use the same Authority for both employees and guest users..is this possible?我想为员工和访客用户使用相同的权限..这可能吗？

If I use "Authority": "https://login.microsoftonline.com/{0}/v2.0" > where {0} is tenant mycompany.onmicrosoft.com and try to log in with my bob@gmail AD GUEST Account it fails and I get this error... (interesting how the redirect_uri is using common even though bob@gmail is AD guest account如果我使用“权威”：“https://login.microsoftonline.com/{0}/v2.0”> 其中 {0} 是租户 mycompany.onmicrosoft.com 并尝试使用我的 bob@gmail AD GUEST 登录帐户失败，我收到此错误...（有趣的是 redirect_uri 如何使用 common 即使 bob@gmail 是 AD 访客帐户

This login.live.com page can't be foundNo webpage was found for the web address: https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51483342-085c-4d86-bf88-cf50c7252078&scope=openid+profile+email+offline_access&response_mode=form_post&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2ffederation%2foauth2&state=rQIIAY2VOc_sZgGFv7lLkntJxAWlSHmlpCGS7_Vuv59EMbbHnvE6M17GdjN43_dlxhY_ACEK6jRIlClpQKmoU0Wiyy-IqCIqRAF8_AOaUz3FOdKRni-fo-_gxy9iAqeCKCIgDAAPwkmAQT7uYxAdUzgaEiEWR6D_-es3aPDJl78CH6vfvPnZy__87vUvvtq8upbZHL0LmurrzefpOLbD4_v3ZRN4ZdoM4yMBw8j7IUvqrIaSKRrGv2w23202P2w2Xz8bSIzCaEACEgcUQZI4TrxzqxOmCnymGqdRNQ6YusCwIqipbCSIkpujurqZxhV3xVALJT8RDrq7P_GFc1FGV9hhyhPvGg4sG2mpXszRMZy7mzuLmluFwiW375_9VNtOY4r-L5o-W6N_PHsVN311bZ_qfvX8x5-wMSfS6p5czlFoEqJW66unxfKdZabVC-FKaAKlnrdr4uTdyq4SPw8QAwKtS0uGuynwMRmBZanH3DQbUJwVp1nHpTRbEoN4W_BJNaFg1o6o07nP85vo7CqxuSHrrScjMriI3T7TTp1yHxTzhNeLXGDHHhZ9g_PCpNlNo7WU6D49W22BqhQ-3lRh5-b15E2mk-8H8n6jdWjB22xmU8DAl13P9nBzQlhRYqEAg7REQi2zqpNj找不到这个login.live.com页面没有找到该网址的网页： https ://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51483342-085c-4d86-bf88-cf50c7252078&scope=openid+ 轮廓+电子邮件+ offline_access＆response_mode = form_post＆REDIRECT_URI = HTTPS％3A％2F％2flogin.microsoftonline.com％2fcommon％2ffederation％2foauth2＆状态= rQIIAY2VOc_sZgGFv7lLkntJxAWlSHmlpCGS7_Vuv59EMbbHnvE6M17GdjN43_dlxhY_ACEK6jRIlClpQKmoU0Wiyy-IqCIqRAF8_AOaUz3FOdKRni-FO-_gxy9iAqeCKCIgDAAPwkmAQT7uYxAdUzgaEiEWR6D_-es3aPDJl78CH6vfvPnZy__87vUvvtq8upbZHL0LmurrzefpOLbD4_v3ZRN4ZdoM4yMBw8j7IUvqrIaSKRrGv2w23202P2w2Xz8bSIzCaEACEgcUQZI4TrxzqxOmCnymGqdRNQ6YusCwIqipbCSIkpujurqZxhV3xVALJT8RDrq7P_GFc1FGV9hhyhPvGg4sG2mpXszRMZy7mzuLmluFwiW375_9VNtOY4r-L5o-W6N_PHsVN311bZ_qfvX8x5-wMSfS6p5czlFoEqJW66unxfKdZabVC-FKaAKlnrdr4uTdyq4SPw8QAwKtS0uGuynwMRmBZanH3DQbUJwVp1nHpTRbEoN4W_BJNaFg1o6o07nP85vo7CqxuSHrrScjMriI3T7TTp1yHxTzhNeLXGDHHhZ9g_PCpNlNo7WU6D49W22BqhQ-3lRh5-b15E2mk-8H8n6jdWjB22xmU8DAl13P9nBzQlhRYqEAg7REQi2zqpNj QR4REZa1YsIJOZ74YMrmQCRsXo31sVcOR8t2q2pyd6bvWg3cna_MSNVzDkEmQKfxcCC392NnlTk_7QS0mGnMRKf9zXdEXBoV2- .... QR4REZa1YsIJOZ74YMrmQCRsXo31sVcOR8t2q2pyd6bvWg3cna_MSNVzDkEmQKfxcCC392NnlTk_7QS0mGnMRKf9zXdEXBoV2- ....

It is interested the reference to common here even though i was using "Authority": "https://login.microsoftonline.com/{0}/v2.0" > where {0} is tenant mycompany.onmicrosoft.com尽管我使用的是“权威”，但它对 common 的引用很感兴趣：“https://login.microsoftonline.com/{0}/v2.0”> 其中 {0} 是租户 mycompany.onmicrosoft.com

1 个解决方案

Guest users are related only to the particular tenant, so we need to give tenant id instead of common.来宾用户仅与特定租户相关，因此我们需要提供租户 id 而不是 common。 Current Azure AD B2B common endpoint can't be used for guest users, guest users are treated as personal accounts.当前 Azure AD B2B 公共端点不能用于来宾用户，来宾用户被视为个人帐户。