[英]Azure B2C: Issues with blocked iframe during signout on Federated Identity Provider
We are experiencing issues completing the sign out flow using Azure B2C with custom policies.我们在使用 Azure B2C 和自定义策略完成注销流程时遇到问题。
We have created a sample Enterprise Application in our Azure AD and set it up as a federated identity provider in our custom policies in the B2C environment, besides the sign out issue everything works as expected.我们在 Azure AD 中创建了一个示例企业应用程序,并将其设置为我们在 B2C 环境中的自定义策略中的联合身份提供者,除了注销问题外,一切都按预期工作。
The sign out flow.退出流程。
(net::ERR_BLOCKED_BY_RESPONSE)
I then checked the response header and found X-Frame-Options: DENY
.(net::ERR_BLOCKED_BY_RESPONSE)
然后我检查了响应头并找到了X-Frame-Options: DENY
。 I am unsure but to me it looks like the request is made from an iframe but is blocked. A workaround is to put the end_session_endpoint as the post_logout_redirect_url:解决方法是将 end_session_endpoint 作为 post_logout_redirect_url:
https://domain.b2clogin.com/domain.onmicrosoft.com/signin/oauth2/v2.0/logout?post_logout_redirect_uri=https://login.microsoftonline.com/guid/oauth2/v2.0/logout?post_logout_redirect_url=https://app.com/callback.html
and that works fine.这工作正常。
Here is the technical profile这是技术简介
<TechnicalProfile Id="Company-OpenIdConnect">
<DisplayName>Company</DisplayName>
<Description>Company</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">https://login.microsoftonline.com/tenantID/v2.0/.well-known/openid-configuration</Item>
<Item Key="client_id">guid</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
</Metadata>
...
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
This is expected, most IdPs will not allow to be rendered in an iframe for login or logout.这是意料之中的,大多数 IdP 不允许在 iframe 中呈现以进行登录或注销。 Azure AD does not allow to be rendered in an iframe either, hence the logout does not complete.
Azure AD 也不允许在 iframe 中呈现,因此注销不会完成。
Your workaround causes a full page redirect, which will work, but the user experience maybe jarring.您的解决方法会导致整页重定向,这将起作用,但用户体验可能会令人不快。
https://docs.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#sign-out https://docs.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#sign-out
The sign-out clears the user's single sign-on state with Azure AD B2C, but it might not sign the user out of their social identity provider session.
注销会清除用户使用 Azure AD B2C 的单一登录状态,但它可能不会将用户从其社交身份提供程序会话中注销。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.