它指出 here 展望未来,我们必须更喜欢身份验证代码流方法,因为“随着从浏览器中删除第三方 cookie 的计划,隐式授权流不再是合适的身份验证方法。”
我已经根据示例应用程序 here 设置了一个 asp.net mvc 4 Web 应用程序。当我在 AD B2C 目录中为访问令牌(用于隐式授权流)设置我的应用程序注册时,它会起作用。如果我按照文档的建议切换到“ID 令牌(用于隐式和混合流)”,我会收到错误消息,指出我的应用程序没有设置它。
正如我从文档中了解到的,我必须为 /authorize 和/token 指定单独的端点,以便在授权后获取令牌。我不确定从样本中看我如何才能做到这一点。下面是 ConfigureAuth 方法,您可以在提供的 github 链接上的示例代码中看到:
public void ConfigureAuth(IAppBuilder app)
{
// Required for Azure webapps, as by default they force TLS 1.2 and this project attempts 1.0
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
// ASP.NET web host compatible cookie manager
CookieManager = new SystemWebChunkingCookieManager()
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Generate the metadata address using the tenant and policy information
MetadataAddress = String.Format(WellKnownMetadata, Tenant, DefaultPolicy),
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = ClientId,
RedirectUri = RedirectUri,
PostLogoutRedirectUri = RedirectUri,
// Specify the callbacks for each type of notifications
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
AuthenticationFailed = OnAuthenticationFailed,
},
// Specify the claim type that specifies the Name property.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
ValidateIssuer = false
},
// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
Scope = $"openid profile offline_access {ReadTasksScope} {WriteTasksScope}",
// ASP.NET web host compatible cookie manager
CookieManager = new SystemWebCookieManager()
}
);
}