[英]Azure B2C Active Directory OpenIDConnect and Authorization Codes
我已經使用OpenIDConnectAuthentication設置了我的Web應用程序,如下所示。 OnAuthorizationCodeReceived
通知使用Microsoft.IdentityModel.Clients.ActiveDirectory OnAuthorizationCodeReceived
。
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
MetadataAddress = Settings.AADB2CAuth.SignInPolicyMetaAddress, // https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?p={policy} policy = B2C_1_SignIn
AuthenticationType = Settings.AADB2CAuth.SignInPolicyId, // B2C_1_SignIn
ClientId = Settings.AADB2CAuth.ClientId, // {guid}
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = OnAuthorizationCodeReceived
},
RedirectUri = Settings.AADB2CAuth.RedirectUri,
Scope = "openid",
ResponseType = "id_token",
});
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
ClientCredential clientCredential = new ClientCredential(Settings.AADB2CAuth.ClientId, Settings.AADB2CAuth.ClientSecret);
string userObjectID = context.AuthenticationTicket.Identity.FindFirst(Settings.ClaimTypes.ObjectIdentifier).Value;
string authority = Settings.AADB2CAuth.Authority; // https://login.microsoftonline.com/{tenant}
AuthenticationContext authContext = new AuthenticationContext(authority, new ADAL.ADALTokenCache(userObjectID));
Uri redirectUri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, redirectUri, clientCredential, Settings.AADGraphApi.GraphResourceId);
}
這很好。 但是,授權代碼不會隨id_token
返回。 如果將其更改為code id_token
或只是code
,該AuthorizationCodeReceived
通知火災,但后來我遇到了錯誤
AADSTS70000:認證失敗:授權碼格式錯誤或無效
基本上,我想做的是以當前登錄用戶身份訪問B2C AD。 這是可能嗎?
我將身份驗證選項更新為
new OpenIdConnectAuthenticationOptions
{
AuthenticationType = Settings.AADB2CAuth.SignInPolicyId,
Authority = string.Format("https://login.microsoftonline.com/tfp/{0}/{1}", Settings.AADB2CAuth.Tenant, Settings.AADB2CAuth.SignInPolicyId),
ClientId = Settings.AADB2CAuth.ClientId,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = OnAuthorizationCodeReceived
},
RedirectUri = Settings.AADB2CAuth.RedirectUri,
Scope = "openid",
ResponseType = "code id_token",
});
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
ClientCredential clientCredential = new ClientCredential(Settings.AADB2CAuth.ClientId, Settings.AADB2CAuth.ClientSecret);
string userObjectID = context.AuthenticationTicket.Identity.FindFirst(Settings.ClaimTypes.ObjectIdentifier).Value;
string authority = string.Format("https://login.microsoftonline.com/tfp/{0}/{1}", Settings.AADB2CAuth.Tenant, Settings.AADB2CAuth.SignInPolicyId);
AuthenticationContext authContext = new AuthenticationContext(authority, new ADAL.ADALTokenCache(userObjectID));
Uri redirectUri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, redirectUri, clientCredential, Settings.AADGraphApi.GraphResourceId);
}
現在,我遇到一個例外,其詳細信息是404頁的HTML內容。 查看請求,我相信是因為AcquireTokenByAuthorizationCodeAsync
正在查看將授權代碼發送至的https://login.microsoftonline.com/tfp/oauth2/token
,我認為這不應該嗎?
可能值得注意的是,我得到的授權碼標頭如下:
{
"kid": "cpimcore_09252015",
"ver": "1.0"
}
如果您查看此錯誤的開始:
AADSTSXXXXX
意味着當您嘗試交換身份驗證代碼時,您去了AAD sts,而不是預期的B2C sts:
AADB2CXXXXX
這意味着我們的端點對您的身份驗證碼發布請求的解釋不正確。 這通常是由於將B2C的策略(p = B2C_1_xxxx)參數附加到帖子URL而不是請求內部而引起的。
選項1:重構代碼和庫的用法,以將策略參數保留在auth代碼發布請求中,而不是令牌端點URL的末尾。
選項2:使用備用令牌終結點,並且不附加任何策略參數。 您的新端點將如下所示
https://login.microsoftonline.com/tfp/{tenant}/B2C_1_myB2CPolicy/oauth2/v2.0/token
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.