Azure AD B2C - GitHub的自定义提供程序无法获取访问令牌

时间:2017-12-09 20:04:05

标签: azure oauth-2.0 azure-ad-b2c

我正在使用自定义策略将GitHub设置为Azure AD B2C中的自定义提供程序。我能够进入登录页面并成功重定向回正确的azure广告链接,但Azure AD B2C中的服务器错误始终拒绝OAUTH的第二部分。

当我查看应用洞察跟踪日志时,会显示“收到无效的OAuth响应”和“遇到解析值时遇到意外的字符:a”。这是我设置的政策提供者:

<ClaimsProvider>
      <Domain>github.com</Domain>
      <DisplayName>GitHub</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="GitHub-OAUTH">
          <DisplayName>GitHub</DisplayName>
          <Protocol Name="OAuth2" />
          <Metadata>
            <Item Key="ProviderName">github</Item>
            <Item Key="authorization_endpoint">https://github.com/login/oauth/authorize</Item>
            <Item Key="AccessTokenEndpoint">https://github.com/login/oauth/access_token?</Item>
            <Item Key="HttpBinding">POST</Item>
            <Item Key="ClaimsEndpoint">https://api.github.com/user</Item>
            <Item Key="client_id">My Client Id</Item>
            <Item Key="UsePolicyInRedirectUri">0</Item>
            <Item Key="scope">user</Item>
            <Item Key="response_types">code</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="client_secret" StorageReferenceId="B2C_1A_GitHubSecret" />
          </CryptographicKeys>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="id" />
            <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
            <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
            <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="github.com" />
            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
          </OutputClaims>
          <OutputClaimsTransformations>
            <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
            <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
            <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
          </OutputClaimsTransformations>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

我想知道问题是否在json中没有返回access_token?我自己在邮递员中完成了所有步骤,代码作为url参数返回,并且在响应正文中返回了access_token,如下所示:

access_token=<snip>&scope=user%3Aemail&token_type=bearer

我是否遗漏了自定义提供程序中的元数据项以支持此响应?或者这在Azure AD B2C中不起作用?

1 个答案:

答案 0 :(得分:0)

是的,这是因为访问令牌响应被编码为HTML表单,而不是JSON。

以下是如何与GitHub集成。

1)为类型为long的GitHub用户标识符添加声明类型:

<ClaimType Id="gitHubUserId">
  <DisplayName>GitHub User ID</DisplayName>
  <DataType>long</DataType>
</ClaimType>

2)添加声明转换,以便将类型为long的GitHub用户标识符转换为类型为string的Azure AD B2C社交用户标识符:

<ClaimsTransformation Id="CreateAlternativeSecurityUserIdForGitHub" TransformationMethod="ConvertNumberToStringClaim">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="gitHubUserId" TransformationClaimType="inputClaim" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="stringFormat" DataType="string" Value="{0}" />
  </InputParameters>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="socialIdpUserId" TransformationClaimType="outputClaim" />
  </OutputClaims>
</ClaimsTransformation>

3)添加GitHub OAuth流程的技术配置文件:

<TechnicalProfile Id="GitHub-OAUTH">
  <DisplayName>GitHub</DisplayName>
  <Protocol Name="OAuth2" />
  <Metadata>
    <Item Key="ProviderName">github.com</Item>
    <Item Key="authorization_endpoint">https://github.com/login/oauth/authorize</Item>
    <Item Key="AccessTokenEndpoint">https://github.com/login/oauth/access_token</Item>
    <Item Key="HttpBinding">GET</Item>
    <Item Key="ClaimsEndpoint">https://api.github.com/user</Item>
    <Item Key="client_id">Insert the client identifier</Item>
    <Item Key="scope">user</Item>
    <Item Key="UserAgentForClaimsExchange">CPIM-Basic/{tenant}/{policy}</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="client_secret" StorageReferenceId="B2C_1A_GitHubSecret" />
  </CryptographicKeys>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="gitHubUserId" PartnerClaimType="id" />
    <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="github.com" />
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
    <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
    <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityUserIdForGitHub" />
    <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
  </OutputClaimsTransformations>
  <UseTechnicalProfileForSessionManagement ReferenceId="SSOSession-Noop" />
</TechnicalProfile>
相关问题
最新问题