Azure B2C:在联合身份提供程序上注销期间阻止 iframe 的问题
[英]Azure B2C: Issues with blocked iframe during signout on Federated Identity Provider
问题描述
We are experiencing issues completing the sign out flow using Azure B2C with custom policies.
我们在使用 Azure B2C 和自定义策略完成注销流程时遇到问题。
We have created a sample Enterprise Application in our Azure AD and set it up as a federated identity provider in our custom policies in the B2C environment, besides the sign out issue everything works as expected.我们在 Azure AD 中创建了一个示例企业应用程序,并将其设置为我们在 B2C 环境中的自定义策略中的联合身份提供者,除了注销问题外,一切都按预期工作。
The sign out flow.退出流程。
- The first step works well and the session is cleared on the B2C identity provider.第一步运行良好,会话在 B2C 身份提供者上被清除。
- We can see in the network tab that the correct endpoint is called on the federated identity provider, but this request is blocked
(net::ERR_BLOCKED_BY_RESPONSE)I then checked the response header and foundX-Frame-Options: DENY.我们可以在网络选项卡中看到在联合身份提供者上调用了正确的端点,但是这个请求被阻止了(net::ERR_BLOCKED_BY_RESPONSE)然后我检查了响应头并找到了X-Frame-Options: DENY。 I am unsure but to me it looks like the request is made from an iframe but is blocked.我不确定,但对我来说,请求似乎是从 iframe 发出的,但被阻止了。 - The user is redirected back to the app's post_logout_redirect_url用户被重定向回应用程序的 post_logout_redirect_url
A workaround is to put the end_session_endpoint as the post_logout_redirect_url:解决方法是将 end_session_endpoint 作为 post_logout_redirect_url:
https://domain.b2clogin.com/domain.onmicrosoft.com/signin/oauth2/v2.0/logout?post_logout_redirect_uri=https://login.microsoftonline.com/guid/oauth2/v2.0/logout?post_logout_redirect_url=https://app.com/callback.html
and that works fine.这工作正常。
Here is the technical profile这是技术简介
<TechnicalProfile Id="Company-OpenIdConnect">
<DisplayName>Company</DisplayName>
<Description>Company</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">https://login.microsoftonline.com/tenantID/v2.0/.well-known/openid-configuration</Item>
<Item Key="client_id">guid</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
</Metadata>
...
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
1 个解决方案
解决方案1
1 已采纳 2021-10-20 15:44:33
This is expected, most IdPs will not allow to be rendered in an iframe for login or logout.这是意料之中的,大多数 IdP 不允许在 iframe 中呈现以进行登录或注销。 Azure AD does not allow to be rendered in an iframe either, hence the logout does not complete. Azure AD 也不允许在 iframe 中呈现,因此注销不会完成。
Your workaround causes a full page redirect, which will work, but the user experience maybe jarring.您的解决方法会导致整页重定向,这将起作用,但用户体验可能会令人不快。
https://docs.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#sign-out https://docs.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#sign-out
The sign-out clears the user's single sign-on state with Azure AD B2C, but it might not sign the user out of their social identity provider session.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.