Azure B2C:无法从 v2.0 .well-known openid-configuration 检索文档

Posted

技术标签:

【中文标题】Azure B2C:无法从 v2.0 .well-known openid-configuration 检索文档【英文标题】:Azure B2C: Unable to retrieve document from v2.0 .well-known openid-configuration 【发布时间】:2021-11-17 17:08:18 【问题描述】:

我正在尝试在我的 dotnet 核心 Web 应用程序中使用 Azure B2C,以便使用我创建的登录流程。

这些是我的 appsettings.json:

"AzureAdB2C": 
    "Instance": "https://XXXX.b2clogin.com/tfp/",
    "Domain": "XXXX.onmicrosoft.com",
    "ClientId": "<CLIENT_ID>",
    "TenantId": "<TENANT_ID>",
    "CallbackPath": "/signin-oidc",
    "SignInPolicyId": "B2C_1_SignFlow"

这是我的 Startup.cs:

 public void ConfigureServices(
        IServiceCollection services)
    
        IdentityModelEventSource.ShowPII = true;
        services.AddRepositories(this.Configuration);
        services.AddDbContext<ApplicationDbContext>();
        services.AddServices();

        services.Configure<CookiePolicyOptions>(options =>
        
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
            // Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
            options.HandleSameSiteCookieCompatibility();
        );

        // Configuration to sign-in users with Azure AD B2C
        services.AddMicrosoftIdentityWebAppAuthentication(this.Configuration, Constants.AzureAdB2C);

        services.AddRazorPages();

        services.AddControllersWithViews().AddMicrosoftIdentityUI();
        services.AddOptions();
        services.Configure<OpenIdConnectOptions> (this.Configuration.GetSection("AzureAdB2C"));

    

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(
        IApplicationBuilder app,
        IWebHostEnvironment env,
        ILogger<Startup> logger)
    

        if (env.IsDevelopment())
        
            app.UseDeveloperExceptionPage();
            app.UseDatabaseErrorPage();
        
        else
        
            app.UseExceptionHandler("/Home/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        

        using (var serviceScope = app.ApplicationServices.GetRequiredService<IServiceScopeFactory>().CreateScope())
        
            logger.LogInformation("Starting Migration");
            using var context = serviceScope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
            context.Database.Migrate();
            logger.LogInformation("Finished Migration");
        
        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseCookiePolicy();

        app.UseRouting();
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        
            endpoints.MapControllerRoute(
                "default",
                "controller=Home/action=Index/id?");
                endpoints.MapRazorPages();
        

        );

问题:每次我启动应用程序时,都会收到以下错误:

System.IO.IOException: IDX20807: Unable to retrieve document from: 'https://XXXX.b2clogin.com/<TENANT_ID>/v2.0/.well-known/openid-configuration'. HttpResponseMessage: 'StatusCode: 404, ReasonPhrase: 'Not Found', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:

  X-Frame-Options: DENY
  ...
  Content-Type: text/html
  Content-Length: 103
 ', HttpResponseMessage.Content: 'The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.'.

如果我只是想使用 Microsoft 身份验证,并将我的实例名称设置为 https://login.microsoftonline.com/,那么一切都会按预期工作。这只发生在我尝试使用用户流时。

如果我尝试从 appsettings.json 中删除 TenantId,我会收到一条消息说它是必需的:The 'TenantId' option must be provided

有什么想法吗?

谢谢!

【问题讨论】:

【参考方案1】:

您可能需要在 appsettings.json 中添加“Authority”。这是元数据网址

(权限格式:“https://.b2clogin.com/.onmicrosoft.com/B2C_1_signupsignin1/v2.0/.well-known/openid-configuration”)

"AzureAdB2C":  

    "Authority":"https://<tenantname>.b2clogin.com/tfp/tenantName.onmicrosoft.com/B2C_1_signup_policy/v2.0/ ", 

   
 "Instance": "https://XXXX.b2clogin.com/tfp/", 

    "Domain": "XXXX.onmicrosoft.com", 

    "ClientId": "<CLIENT_ID>", 

    "TenantId": "<TENANT_ID>", 

    "CallbackPath": "/b2csignin", 

    "SignInPolicyId": "B2C_1_SignFlow" 

 ,

并在门户/代码中提供通用发行者 url,如下所示

https:// <domain>/tfp/<tenantId>/v2/

(或) 政策特定发行人

https:// <domain>/tfp/<tenantId>/b2c_1_ policy/v2/

参考文献

    getting-error-when-trying-to-secure-aspnet-core-web-api- azure-ad-b2c-issuer-url-in-the-portal

【讨论】:

以上是关于Azure B2C:无法从 v2.0 .well-known openid-configuration 检索文档的主要内容,如果未能解决你的问题,请参考以下文章

Azure B2C - 无法从策略中的 JWT 客户端断言令牌读取“日期”声明

Azure AD B2C 刷新令牌/ID 令牌 iOS Swift 4

无法登录到新的 Azure B2C 目录

在 Postman 中为 Azure AD B2C 请求访问令牌

Azure b2c 错误:IDX10501:签名验证失败。无法匹配键:孩子:'gLv****************'

无头认证Azure AD b2c