我使用OpenIDConnectAuthentication设置了我的网络应用程序,如下所示。 OnAuthorizationCodeReceived通知使用Microsoft.IdentityModel.Clients.ActiveDirectory 3.13.8。
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
MetadataAddress = Settings.AADB2CAuth.SignInPolicyMetaAddress, // https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?p={policy} policy = B2C_1_SignIn
AuthenticationType = Settings.AADB2CAuth.SignInPolicyId, // B2C_1_SignIn
ClientId = Settings.AADB2CAuth.ClientId, // {guid}
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = OnAuthorizationCodeReceived
},
RedirectUri = Settings.AADB2CAuth.RedirectUri,
Scope = "openid",
ResponseType = "id_token",
});
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
ClientCredential clientCredential = new ClientCredential(Settings.AADB2CAuth.ClientId, Settings.AADB2CAuth.ClientSecret);
string userObjectID = context.AuthenticationTicket.Identity.FindFirst(Settings.ClaimTypes.ObjectIdentifier).Value;
string authority = Settings.AADB2CAuth.Authority; // https://login.microsoftonline.com/{tenant}
AuthenticationContext authContext = new AuthenticationContext(authority, new ADAL.ADALTokenCache(userObjectID));
Uri redirectUri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, redirectUri, clientCredential, Settings.AADGraphApi.GraphResourceId);
}
这很好用。但是,id_token不会返回授权码。如果将其更改为code id_token或仅code,则AuthorizationCodeReceived通知会触发,但我会遇到错误
AADSTS70000:身份验证失败:授权码格式错误或无效
基本上我要做的是访问B2C AD作为当前登录用户。这有可能吗?
我将身份验证选项更新为
new OpenIdConnectAuthenticationOptions
{
AuthenticationType = Settings.AADB2CAuth.SignInPolicyId,
Authority = string.Format("https://login.microsoftonline.com/tfp/{0}/{1}", Settings.AADB2CAuth.Tenant, Settings.AADB2CAuth.SignInPolicyId),
ClientId = Settings.AADB2CAuth.ClientId,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = OnAuthorizationCodeReceived
},
RedirectUri = Settings.AADB2CAuth.RedirectUri,
Scope = "openid",
ResponseType = "code id_token",
});
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
ClientCredential clientCredential = new ClientCredential(Settings.AADB2CAuth.ClientId, Settings.AADB2CAuth.ClientSecret);
string userObjectID = context.AuthenticationTicket.Identity.FindFirst(Settings.ClaimTypes.ObjectIdentifier).Value;
string authority = string.Format("https://login.microsoftonline.com/tfp/{0}/{1}", Settings.AADB2CAuth.Tenant, Settings.AADB2CAuth.SignInPolicyId);
AuthenticationContext authContext = new AuthenticationContext(authority, new ADAL.ADALTokenCache(userObjectID));
Uri redirectUri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, redirectUri, clientCredential, Settings.AADGraphApi.GraphResourceId);
}
我现在遇到一个异常,其详细信息是404页面的HTML内容。查看请求我认为是因为AcquireTokenByAuthorizationCodeAsync正在查看https://login.microsoftonline.com/tfp/oauth2/token发送授权码,我认为不应该这样做?
值得注意的是,我收到的授权码标题如下:
{
"kid": "cpimcore_09252015",
"ver": "1.0"
}
快速谷歌搜索会产生one result,这会引用Android ADAL上的following issue。我不确定这是否与我的问题有关。
答案 0 :(得分:3)
如果你看一下这个错误的开头:
AADSTSXXXXX
表示当您尝试更换授权代码时,您转到AAD sts而不是预期的B2C sts:
AADB2CXXXXX
这意味着我们的端点错误地解释了您的身份验证代码发布请求。当B2C的策略(p = B2C_1_xxxx)参数附加到帖子URL而不是请求内部时,会导致通常。
选项1: 重构您的代码和库使用,以将策略参数保留在auth代码发布请求中,而不是令牌端点URL的末尾。
选项2: 使用备用令牌端点,不要粘贴任何poliy参数。您的新端点看起来像这样
https://login.microsoftonline.com/tfp/{tenant}/B2C_1_myB2CPolicy/oauth2/v2.0/token