如何解决在Azure Active Directory B2C中使用OpenID Connect进行Web登录使用id_token代替access_token
我正在遵循Microsoft的本指南:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
发送第一个身份验证请求给了我期望的code
和id_token
作为响应。
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?
client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6
&response_type=code+id_token
&redirect_uri=https%3A%2F%2Faadb2cplayground.azurewebsites.net%2F
&response_mode=form_post
&scope=openid%20offline_access
&state=arbitrary_data_you_can_receive_in_the_response
&nonce=12345
export const login = async () => {
// window.location.origin is safe due to specified Redirect URIs for ADB2C
window.location.href = "https://{tenant}.b2clogin.com/tfp/{tenant}.onmicrosoft.com/B2C_1_signupsignin/oauth2/v2.0/authorize?"
+ "client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6"
+ "&nonce=anyRandomValue"
+ "&redirect_uri=" + window.location.origin + "/signin-oidc"
+ "&scope=openid%20offline_access"
+ "&response_type=code+id_token";
}
但是获得令牌请求:
POST {tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token HTTP/1.1
Host: {tenant}.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&scope=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 offline_access&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...&redirect_uri=urn:ietf:wg:oauth:2.0:oob
应根据示例返回此值:
{
"not_before": "1442340812","token_type": "Bearer","access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...","scope": "90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 offline_access","expires_in": "3600","refresh_token": "AAQfQmvuDy8WtUv-sd0TBwWVQs1rC-Lfxa_NDkLqpg50Cxp5Dxj0VPF1mx2Z...",}
我得到的是一个新的id_token
:
{
"id_token": "eyJ0eXAiOiJKV...","not_before": 1602766192,"id_token_expires_in": 3600,"profile_info": "eyJ2ZXIiOiIxL...","scope": "offline_access openid","refresh_token": "eyJraWQiOiJjc...","refresh_token_expires_in": 1209600
}
C#:
var client = _clientFactory.CreateClient();
var kvpList = new List<keyvaluePair<string,string>>();
kvpList.Add(new keyvaluePair<string,string>("grant_type","authorization_code"));
kvpList.Add(new keyvaluePair<string,string>("client_id","90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6"));
kvpList.Add(new keyvaluePair<string,string>("scope","90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 offline_access"));
kvpList.Add(new keyvaluePair<string,string>("code",{code}));
kvpList.Add(new keyvaluePair<string,string>("redirect_uri",HttpContext.Request.Scheme + "://" + HttpContext.Request.Host + "/signin-oidc"));
kvpList.Add(new keyvaluePair<string,string>("client_secret","{mySecret}"));
var req = new HttpRequestMessage(HttpMethod.Post,"https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/B2C_1_signupsignin/oauth2/v2.0/token")
{ Content = new FormUrlEncodedContent(kvpList) };
using var httpResponse = await client.SendAsync(req);
var response = await httpResponse.Content.ReadAsstringAsync();
我想念什么?
解决方法
当您要求“ openid offline_access”时,您仅要求提供id令牌和刷新令牌。要获取访问令牌,您需要询问与要访问的资源/ API关联的范围。
,确实是错误的范围。从您的Azure AD B2C应用程序注册或应用程序(旧版)中获取它。
我的示例已阅读。
https:// {tenant} .onmicrosoft.com / 90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 / read
TS:
"&scope=openid%20offline_access%20https://{tenant}.onmicrosoft.com/90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6/read"
C#:
kvpList.Add(new KeyValuePair<string,string>("scope","openid offline_access https://{tenant}.onmicrosoft.com/90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6/read"));
此后一切正常。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。