[英]AzureAD B2C ROPC Authentication in ASP.NET Core
I have a ASP.NET Core WebApplication (REST API) that uses AzureB2C for Authentication.我有一个使用 AzureB2C 进行身份验证的 ASP.NET Core WebApplication (REST API)。 This is the Startup.cs
这是 Startup.cs
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddAuthentication(AzureADB2CDefaults.BearerAuthenticationScheme)
.AddAzureADB2CBearer(options =>
{
options.Instance = "https://tenant.b2clogin.com/tfp/";
options.ClientId = "...";
options.Domain = "tenant.onmicrosoft.com";
options.SignUpSignInPolicyId = "B2C_1A_signup_signin";
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints => { endpoints.MapControllers(); });
}
}
To support Authentication in Automated Tests, I did try to use client credential
Flow, but found out that it is not supported in AzureB2C .为了在自动测试中支持身份验证,我确实尝试使用
client credential
流,但发现它在 AzureB2C 中不受支持。 Next I came across ROPC Flow which is suggested as alternative (ex: here ).接下来我遇到了建议作为替代方案的ROPC Flow (例如: 这里)。 But I cannot get it to work.
但我无法让它工作。
If I receive a Token using the ROPC Flow.如果我使用 ROPC 流程收到令牌。
dynamic result = await $"https://{tenantName}.b2clogin.com"
.AppendPathSegment($"{tenantName}.onmicrosoft.com")
.AppendPathSegment("B2C_1_ROPC_Auth")
.AppendPathSegment("oauth2/v2.0/token")
.SetQueryParams(new
{
client_id,
scope = $"6d1aa76b-10fb-47bb-bbec-5d7f7a4e08c4 openid offline_access",
username,
password,
grant_type = "password",
repsonse_type = "token id_token"
}
)
.PostAsync(new StringContent(""))
.ReceiveJson();
The token looks good and Valid.令牌看起来不错且有效。 But If I try to use it to Authenticate my calls to the REST Api, I Receive the following Error:
但是,如果我尝试使用它来验证对 REST Api 的调用,则会收到以下错误:
WWW-Authenticate Bearer error="invalid_token", error_description="The signature key was not found"
WWW-Authenticate Bearer error="invalid_token", error_description="未找到签名密钥"
After some investigation it looks like the RestAPI is trying to validate the KID using the well-known configuration of my B2C_1A_signup_signin
policy.经过一些调查,看起来 RestAPI 正在尝试使用我的
B2C_1A_signup_signin
策略的众所周知的配置来验证 KID。 Which makes sense, as It is part of the Options of AddAzureADB2CBearer
.这是有道理的,因为它是
AddAzureADB2CBearer
的选项的AddAzureADB2CBearer
。 If I do change the Policy to B2C_1_ROPC_Auth
the token is accepted.如果我确实将策略更改为
B2C_1_ROPC_Auth
,则接受令牌。
But I do need both Tokens to work, the ones that get created using the B2C_1A_signup_signin
Flow and the ROPC
flow tokens.但我确实需要两个令牌才能工作,即使用
B2C_1A_signup_signin
Flow 和ROPC
流令牌创建的令牌。
How can I configure my app to accept both configurations?如何配置我的应用程序以接受这两种配置?
If this API is only accessed via a headless authentication, then protect it using Azure AD Client Credentials.如果仅通过无头身份验证访问此 API,则使用 Azure AD 客户端凭据对其进行保护。 Your Azure AD B2C contains an Azure AD inside it.
您的 Azure AD B2C 中包含一个 Azure AD。 Follow the instructions here: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-overview
按照此处的说明操作: https : //docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-overview
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.