Azure B2C - 自定义策略 - 连接身份提供者时出错
Posted
技术标签:
【中文标题】Azure B2C - 自定义策略 - 连接身份提供者时出错【英文标题】:Azure B2C - Custom Policy - Error connecting identity provider 【发布时间】:2019-11-29 11:18:08 【问题描述】:按照https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom?tabs=applications 上的步骤,我一直在尝试为 Azure AD B2C 添加自定义策略以连接Autodesk Forge。
我为 Facebook 的 ClaimsProvider 修改了以下内容:
<ClaimsProvider>
<!-- The following Domain element allows this profile to be used if the request comes with domain_hint
query string parameter, e.g. domain_hint=facebook.com -->
<Domain>autodesk.com</Domain>
<DisplayName>AutodeskForge</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="FORGE-OAUTH">
<!-- The text in the following DisplayName element is shown to the user on the claims provider
selection screen. -->
<DisplayName>Forge</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="authorization_endpoint">https://developer.api.autodesk.com/authentication/v1/authorize</Item>
<Item Key="AccessTokenEndpoint">https://developer.api.autodesk.com/authentication/v1/gettoken</Item>
<Item Key="ClaimsEndpoint">https://developer.api.autodesk.com/userprofile/v1/users/@me</Item>
<Item Key="ProviderName">AutodeskForge</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<!-- The Facebook required HTTP GET method, but the access token response is in JSON format from 3/27/2017 -->
<Item Key="AccessTokenResponseFormat">json</Item>
<Item Key="ClaimsEndpointFormat">json</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_ForgeSecret" />
</CryptographicKeys>
<InputClaims />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="userId" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="firstName" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="lastName" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="userName" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="emailId" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="autodesk.com" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
并且还将用户旅程中的声明提供者 ID 从 Facebook-OAUTH 替换为 FORGE_OAUTH。
运行时,它会正确重定向到 Autodesk Forge 授权端点,但在尝试连接到 identity provider 时会失败,返回以下错误:
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: 188d934d-f1f0-48c5-98c4-917b032b94d2
Timestamp: 2019-11-29 10:54:49Z
Error Example
我对 AAD B2C 的经验不是很丰富,但似乎我在某些时候可能只是错过了一步。
添加 Application Insight 时,trace 日志输出以下内容:
[
"Kind": "Headers",
"Content":
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "99e13295-a206-449c-b011-a33422112b29",
"EventInstance": "Event:ClaimsExchange",
"TenantId": "alvarob2c.onmicrosoft.com",
"PolicyId": "B2C_1A_signup_signin"
,
"Kind": "Transition",
"Content":
"EventName": "ClaimsExchange",
"StateName": "Initial"
,
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.ClaimsExchangeMessageValidationHandler"
,
"Kind": "Transition",
"Content":
"EventName": "ClaimsExchange",
"StateName": "Microsoft.Cpim.Protocols.PartnerProtocolException"
,
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsPartnerErrorReachesMaximumRetriesHandler"
,
"Kind": "HandlerResult",
"Content":
"Result": true,
"Statebag":
"MACHSTATE":
"c": "2019-11-29T11:07:31.6899756Z",
"k": "MACHSTATE",
"v": "Microsoft.Cpim.Protocols.PartnerProtocolException",
"p": true
,
"JC":
"c": "2019-11-29T11:07:27.797697Z",
"k": "JC",
"v": "en-US",
"p": true
,
"ORCH_CS":
"c": "2019-11-29T11:07:27.953952Z",
"k": "ORCH_CS",
"v": "2",
"p": true
,
"ORCH_IDX":
"c": "2019-11-29T11:07:27.953952Z",
"k": "ORCH_IDX",
"v": "0",
"p": true
,
"RA":
"c": "2019-11-29T11:07:27.953952Z",
"k": "RA",
"v": "0",
"p": true
,
"RPP":
"c": "2019-11-29T11:07:27.797697Z",
"k": "RPP",
"v": "OAUTH2",
"p": true
,
"RPIPP":
"c": "2019-11-29T11:07:27.797697Z",
"k": "RPIPP",
"v": "OAuth2ProtocolProvider",
"p": true
,
"OTID":
"c": "2019-11-29T11:07:27.797697Z",
"k": "OTID",
"v": "alvarob2c.onmicrosoft.com",
"p": true
,
"IC":
"c": "2019-11-29T11:07:27.9383272Z",
"k": "IC",
"v": "True",
"p": true
,
"MSG(283863a3-02dd-4c87-b4ae-2500a398fed4)":
"c": "2019-11-29T11:07:27.9383272Z",
"k": "MSG(283863a3-02dd-4c87-b4ae-2500a398fed4)",
"v": "\"TenantId\":\"alvarob2c.onmicrosoft.com\",\"PolicyId\":\"B2C_1A_signup_signin\",\"RedirectUri\":\"https://jwt.ms/\",\"AdditionalParameters\":\"p\":\"B2C_1A_signup_signin\",\"Nonce\":\"defaultNonce\",\"ClientId\":\"4b03fe96-24d9-40b5-b01d-c45b95422b31\",\"ResponseType\":\"id_token\",\"ResponseRedirector\":\"URI\":\"https://jwt.ms\",\"D\":false,\"WF\":true,\"R\":false,\"Scope\":\"openid\",\"AppModelVersion\":1,\"ScopedProviders\":[]",
"p": true,
"t": "OAuth2"
,
"IMESSAGE":
"c": "2019-11-29T11:07:27.9383272Z",
"k": "IMESSAGE",
"v": "283863a3-02dd-4c87-b4ae-2500a398fed4",
"p": true
,
"TAGE":
"c": "2019-11-29T11:07:31.5024363Z",
"k": "TAGE",
"v": "ForgeExchange",
"p": true
,
"SE":
"c": "2019-11-29T11:07:27.953952Z",
"k": "SE",
"v": "Social",
"p": true
,
"CMESSAGE":
"c": "2019-11-29T11:07:31.3461838Z",
"k": "CMESSAGE",
"v": "283863a3-02dd-4c87-b4ae-2500a398fed4",
"p": true
,
"ComplexItems": "_MachineEventQ, REPRM, TCTX, M_EXCP"
,
"PredicateResult": "False"
,
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsPartnerReauthenticateActionHandler"
,
"Kind": "HandlerResult",
"Content":
"Result": true,
"PredicateResult": "False"
,
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsPartnerClientInvalidActionHandler"
,
"Kind": "HandlerResult",
"Content":
"Result": true,
"PredicateResult": "False"
,
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.NoOpHandler"
,
"Kind": "HandlerResult",
"Content":
"Result": true,
"PredicateResult": "True"
,
"Kind": "Action",
"Content": "Web.TPEngine.SSO.SSOSessionEndHandler"
,
"Kind": "HandlerResult",
"Content":
"Result": true
,
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.SendErrorHandler"
,
"Kind": "HandlerResult",
"Content":
"Result": true,
"RecorderRecord":
"Values": [
"Key": "SendErrorTechnicalProfile",
"Value": "OAuth2ProtocolProvider"
,
"Key": "Exception",
"Value":
"Kind": "Handled",
"HResult": "80131500",
"Message": "We encountered an error connecting to the identity provider. Please try again later.",
"Data":
"IsPolicySpecificError": false
]
,
"Statebag":
"SE":
"c": "2019-11-29T11:07:31.6899756Z",
"k": "SE",
"v": "",
"p": true
,
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.TransactionEndHandler"
,
"Kind": "HandlerResult",
"Content":
"Result": true
]
【问题讨论】:
您应该尝试设置应用程序洞察日志记录docs.microsoft.com/en-us/azure/active-directory-b2c/…。然后你会看到确切的错误 感谢您的评论,我确实实现了洞察力,但未能理解输出。我将使用见解结果更新问题。 你解决了吗?你能分享一下解决方案吗? 恐怕没有,最终使用了一种简单的方法,但我想最终回到它 【参考方案1】:我也收到此错误,因为我传递给身份提供者的客户端 ID 未获得我发送给它的重定向 URI 的授权。我复制了一个自定义策略,并为原始策略保留了客户端 ID,在 IDP 中,它被授权仅重定向到原始策略。
【讨论】:
【参考方案2】:我在使用不同的 IDP 时遇到了相同的错误/症状,但我的根本原因不同。就我而言,我的 B2C 策略是使用 GET 而不是 POST 发送令牌请求,并且 IDP 服务器仅支持 POST。为了纠正这个问题,我必须在我的 OAuth2 技术配置文件的元数据部分设置以下内容。
<Item Key="HttpBinding">POST</Item>
【讨论】:
以上是关于Azure B2C - 自定义策略 - 连接身份提供者时出错的主要内容,如果未能解决你的问题,请参考以下文章
为 Azure AD B2C 自定义策略调用 New-CpimCertificate 时出现问题
Azure AD B2C - 自定义策略中的“电子邮件”声明
在 Azure B2C 的自定义策略中找不到声明 - Saml