按照Autodesk Forge上的步骤,我一直在尝试为Azure AD B2C添加自定义策略以与https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom?tabs=applications连接。
我用以下内容修改了Facebook ClaimsProvider的位:
<ClaimsProvider>
<!-- The following Domain element allows this profile to be used if the request comes with domain_hint
query string parameter, e.g. domain_hint=facebook.com -->
<Domain>autodesk.com</Domain>
<DisplayName>AutodeskForge</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="FORGE-OAUTH">
<!-- The text in the following DisplayName element is shown to the user on the claims provider
selection screen. -->
<DisplayName>Forge</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="authorization_endpoint">https://developer.api.autodesk.com/authentication/v1/authorize</Item>
<Item Key="AccessTokenEndpoint">https://developer.api.autodesk.com/authentication/v1/gettoken</Item>
<Item Key="ClaimsEndpoint">https://developer.api.autodesk.com/userprofile/v1/users/@me</Item>
<Item Key="ProviderName">AutodeskForge</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<!-- The Facebook required HTTP GET method, but the access token response is in JSON format from 3/27/2017 -->
<Item Key="AccessTokenResponseFormat">json</Item>
<Item Key="ClaimsEndpointFormat">json</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_ForgeSecret" />
</CryptographicKeys>
<InputClaims />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="userId" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="firstName" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="lastName" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="userName" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="emailId" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="autodesk.com" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
并且还替换了从Facebook-OAUTH到FORGE_OAUTH的用户旅程中的声明提供者ID。
在运行时,它确实会正确重定向到Autodesk Forge授权端点,但是在尝试连接到identity provider时失败,并返回以下错误:
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: 188d934d-f1f0-48c5-98c4-917b032b94d2
Timestamp: 2019-11-29 10:54:49Z
我对AAD B2C的经验不是很丰富,但是似乎在某个时候我可能只缺了一步。
添加Application Insight时,trace日志将输出以下内容:
[
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "99e13295-a206-449c-b011-a33422112b29",
"EventInstance": "Event:ClaimsExchange",
"TenantId": "alvarob2c.onmicrosoft.com",
"PolicyId": "B2C_1A_signup_signin"
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "ClaimsExchange",
"StateName": "Initial"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.ClaimsExchangeMessageValidationHandler"
},
{
"Kind": "Transition",
"Content": {
"EventName": "ClaimsExchange",
"StateName": "Microsoft.Cpim.Protocols.PartnerProtocolException"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsPartnerErrorReachesMaximumRetriesHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"MACHSTATE": {
"c": "2019-11-29T11:07:31.6899756Z",
"k": "MACHSTATE",
"v": "Microsoft.Cpim.Protocols.PartnerProtocolException",
"p": true
},
"JC": {
"c": "2019-11-29T11:07:27.797697Z",
"k": "JC",
"v": "en-US",
"p": true
},
"ORCH_CS": {
"c": "2019-11-29T11:07:27.953952Z",
"k": "ORCH_CS",
"v": "2",
"p": true
},
"ORCH_IDX": {
"c": "2019-11-29T11:07:27.953952Z",
"k": "ORCH_IDX",
"v": "0",
"p": true
},
"RA": {
"c": "2019-11-29T11:07:27.953952Z",
"k": "RA",
"v": "0",
"p": true
},
"RPP": {
"c": "2019-11-29T11:07:27.797697Z",
"k": "RPP",
"v": "OAUTH2",
"p": true
},
"RPIPP": {
"c": "2019-11-29T11:07:27.797697Z",
"k": "RPIPP",
"v": "OAuth2ProtocolProvider",
"p": true
},
"OTID": {
"c": "2019-11-29T11:07:27.797697Z",
"k": "OTID",
"v": "alvarob2c.onmicrosoft.com",
"p": true
},
"IC": {
"c": "2019-11-29T11:07:27.9383272Z",
"k": "IC",
"v": "True",
"p": true
},
"MSG(283863a3-02dd-4c87-b4ae-2500a398fed4)": {
"c": "2019-11-29T11:07:27.9383272Z",
"k": "MSG(283863a3-02dd-4c87-b4ae-2500a398fed4)",
"v": "{\"TenantId\":\"alvarob2c.onmicrosoft.com\",\"PolicyId\":\"B2C_1A_signup_signin\",\"RedirectUri\":\"https://jwt.ms/\",\"AdditionalParameters\":{\"p\":\"B2C_1A_signup_signin\"},\"Nonce\":\"defaultNonce\",\"ClientId\":\"4b03fe96-24d9-40b5-b01d-c45b95422b31\",\"ResponseType\":\"id_token\",\"ResponseRedirector\":{\"URI\":\"https://jwt.ms\",\"D\":false,\"WF\":true,\"R\":false},\"Scope\":\"openid\",\"AppModelVersion\":1,\"ScopedProviders\":[]}",
"p": true,
"t": "OAuth2"
},
"IMESSAGE": {
"c": "2019-11-29T11:07:27.9383272Z",
"k": "IMESSAGE",
"v": "283863a3-02dd-4c87-b4ae-2500a398fed4",
"p": true
},
"TAGE": {
"c": "2019-11-29T11:07:31.5024363Z",
"k": "TAGE",
"v": "ForgeExchange",
"p": true
},
"SE": {
"c": "2019-11-29T11:07:27.953952Z",
"k": "SE",
"v": "Social",
"p": true
},
"CMESSAGE": {
"c": "2019-11-29T11:07:31.3461838Z",
"k": "CMESSAGE",
"v": "283863a3-02dd-4c87-b4ae-2500a398fed4",
"p": true
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX, M_EXCP"
},
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsPartnerReauthenticateActionHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsPartnerClientInvalidActionHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.NoOpHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "True"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.SSO.SSOSessionEndHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.SendErrorHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "SendErrorTechnicalProfile",
"Value": "OAuth2ProtocolProvider"
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "We encountered an error connecting to the identity provider. Please try again later.",
"Data": {
"IsPolicySpecificError": false
}
}
}
]
},
"Statebag": {
"SE": {
"c": "2019-11-29T11:07:31.6899756Z",
"k": "SE",
"v": "",
"p": true
}
}
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.TransactionEndHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
}
]
答案 0 :(得分:0)
我也收到此错误,因为我传递给身份提供者的客户机ID没有获得我发送给它的重定向URI的授权。我复制了一个自定义策略,并保留了原始策略的客户ID,该ID在IDP中被授权仅重定向到原始策略。
答案 1 :(得分:0)
我在使用不同的 IDP 时遇到了相同的错误/症状,但我的根本原因不同。就我而言,我的 B2C 策略是使用 GET 而不是 POST 发送令牌请求,并且 IDP 服务器仅支持 POST。为了纠正这个问题,我必须在我的 OAuth2 技术配置文件的元数据部分设置以下内容。
<Item Key="HttpBinding">POST</Item>