Azure B2C Active Directory OpenIDConnect和授權代碼
[英]Azure B2C Active Directory OpenIDConnect and Authorization Codes
問題描述
我已經使用OpenIDConnectAuthentication設置了我的Web應用程序,如下所示。 OnAuthorizationCodeReceived通知使用Microsoft.IdentityModel.Clients.ActiveDirectory OnAuthorizationCodeReceived 。
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
MetadataAddress = Settings.AADB2CAuth.SignInPolicyMetaAddress, // https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?p={policy} policy = B2C_1_SignIn
AuthenticationType = Settings.AADB2CAuth.SignInPolicyId, // B2C_1_SignIn
ClientId = Settings.AADB2CAuth.ClientId, // {guid}
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = OnAuthorizationCodeReceived
},
RedirectUri = Settings.AADB2CAuth.RedirectUri,
Scope = "openid",
ResponseType = "id_token",
});
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
ClientCredential clientCredential = new ClientCredential(Settings.AADB2CAuth.ClientId, Settings.AADB2CAuth.ClientSecret);
string userObjectID = context.AuthenticationTicket.Identity.FindFirst(Settings.ClaimTypes.ObjectIdentifier).Value;
string authority = Settings.AADB2CAuth.Authority; // https://login.microsoftonline.com/{tenant}
AuthenticationContext authContext = new AuthenticationContext(authority, new ADAL.ADALTokenCache(userObjectID));
Uri redirectUri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, redirectUri, clientCredential, Settings.AADGraphApi.GraphResourceId);
}
這很好。 但是,授權代碼不會隨id_token返回。 如果將其更改為code id_token或只是code ,該AuthorizationCodeReceived通知火災,但后來我遇到了錯誤
AADSTS70000:認證失敗:授權碼格式錯誤或無效
基本上,我想做的是以當前登錄用戶身份訪問B2C AD。 這是可能嗎?
我將身份驗證選項更新為
new OpenIdConnectAuthenticationOptions
{
AuthenticationType = Settings.AADB2CAuth.SignInPolicyId,
Authority = string.Format("https://login.microsoftonline.com/tfp/{0}/{1}", Settings.AADB2CAuth.Tenant, Settings.AADB2CAuth.SignInPolicyId),
ClientId = Settings.AADB2CAuth.ClientId,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = OnAuthorizationCodeReceived
},
RedirectUri = Settings.AADB2CAuth.RedirectUri,
Scope = "openid",
ResponseType = "code id_token",
});
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
ClientCredential clientCredential = new ClientCredential(Settings.AADB2CAuth.ClientId, Settings.AADB2CAuth.ClientSecret);
string userObjectID = context.AuthenticationTicket.Identity.FindFirst(Settings.ClaimTypes.ObjectIdentifier).Value;
string authority = string.Format("https://login.microsoftonline.com/tfp/{0}/{1}", Settings.AADB2CAuth.Tenant, Settings.AADB2CAuth.SignInPolicyId);
AuthenticationContext authContext = new AuthenticationContext(authority, new ADAL.ADALTokenCache(userObjectID));
Uri redirectUri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, redirectUri, clientCredential, Settings.AADGraphApi.GraphResourceId);
}
現在,我遇到一個例外,其詳細信息是404頁的HTML內容。 查看請求,我相信是因為AcquireTokenByAuthorizationCodeAsync正在查看將授權代碼發送至的https://login.microsoftonline.com/tfp/oauth2/token ,我認為這不應該嗎?
可能值得注意的是,我得到的授權碼標頭如下:
{
"kid": "cpimcore_09252015",
"ver": "1.0"
}
1 個解決方案
解決方案1
3 2017-01-10 22:38:45
如果您查看此錯誤的開始:
AADSTSXXXXX
意味着當您嘗試交換身份驗證代碼時,您去了AAD sts,而不是預期的B2C sts:
AADB2CXXXXX
這意味着我們的端點對您的身份驗證碼發布請求的解釋不正確。 這通常是由於將B2C的策略(p = B2C_1_xxxx)參數附加到帖子URL而不是請求內部而引起的。
選項1:重構代碼和庫的用法,以將策略參數保留在auth代碼發布請求中,而不是令牌端點URL的末尾。
選項2:使用備用令牌終結點,並且不附加任何策略參數。 您的新端點將如下所示
https://login.microsoftonline.com/tfp/{tenant}/B2C_1_myB2CPolicy/oauth2/v2.0/token
Azure Active Directory B2C-權限不足,無法完成操作
[英]Azure Active Directory B2C - Insufficient privileges to complete the operation
如何使用 C# 以編程方式從 azure B2C Active Directory 中刪除用戶
[英]How do I delete a user from an azure B2C Active Directory programatically with C#
如何在 ASP.NET MVC 中獲取/設置自定義 Azure Active Directory B2C 用戶屬性?
[英]How to get/set custom Azure Active Directory B2C user attributes in ASP.NET MVC?
為新的Azure Active Directory B2C用戶設置密碼的最安全方法是什么?
[英]What is safest way to set password for new Azure Active Directory B2C user?
具有指定電子郵件地址的 Azure Active Directory B2C 登錄用戶
[英]Azure Active Directory B2C log in user with specified email address
`[Authorize(Roles =“admin”)]`無限循環ASP.NET MVC和Azure Active Directory B2C
[英]`[Authorize(Roles = “admin”)]` Infinite loop ASP.NET MVC and Azure Active Directory B2C
如何使用Azure Active Directory B2C GraphServiceClient創建Global Administrator用戶?
[英]How to create Global Administrator user using Azure Active Directory B2C GraphServiceClient?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
Azure Active Directory B2C 注冊
C# Web 應用程序中的 Azure Active Directory B2C
Azure Active Directory B2C-權限不足,無法完成操作
在不遷移用戶的情況下使用Azure Active Directory B2C
如何使用 C# 以編程方式從 azure B2C Active Directory 中刪除用戶
如何在 ASP.NET MVC 中獲取/設置自定義 Azure Active Directory B2C 用戶屬性?
為新的Azure Active Directory B2C用戶設置密碼的最安全方法是什么?
具有指定電子郵件地址的 Azure Active Directory B2C 登錄用戶
`[Authorize(Roles =“admin”)]`無限循環ASP.NET MVC和Azure Active Directory B2C
如何使用Azure Active Directory B2C GraphServiceClient創建Global Administrator用戶?
相關標簽