当前位置：文江博客话题详情

Azure AD B2C破坏OIDC规格

发布于 2025-02-11 01:40:36 字数 3299 浏览 2 评论 0 原文

我已经配置了一个自定义策略，AAD B2C ief per this 链接，现在试图将其集成到API网关中，为JWT授权者per this 链接。

但是，尝试配置授权者会引发错误

错误更新API网关V2授权器
BadRequestException
连接到 for Insuer https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/ 。
请稍后再试。
错误：
无效的发行人：
。
发行人必须具有有效的发现端点，以'/.well-newone/openid-configuration结尾

实际发现端点为 https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_1a_signup_signup_signin/.well-well-.well-.well-.well-.well-.well-.well-.well-.well-.well-well-well-.well-.well-.well-.well-.well-.well-.well-.well-.well-.well-v.0/然而，已知/openid-configuration 返回下面的文档，其发行人与发现URL不同。

{
  "issuer": "https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/",
  "authorization_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/authorize",
  "token_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/token",
  "end_session_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/logout",
  "jwks_uri": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "id_token",
    "id_token token",
    "token",
    "token id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "claims_supported": [
    "name",
    "given_name",
    "family_name",
    "email",
    "sub",
    "tid",
    "iss",
    "iat",
    "exp",
    "aud",
    "acr",
    "nonce",
    "auth_time"
  ]
}

查看 this 问题，

有什么办法可以使它工作，还是我必须转到符合规格的OIDC提供商？

原文

I've configured a custom policy with AAD B2C IEF per this link and am now trying to integrate it into API Gateway as a JWT authorizer per this link.

However, attempting to configure the authorizer throws an error

error updating API Gateway v2 authorizer
BadRequestException
Caught exception when connecting to https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/.well-known/openid-configuration for issuer https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/.
Please try again later.
Error:
Invalid issuer:
https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/.
Issuer must have a valid discovery endpoint ended with '/.well-known/openid-configuration

The actual discovery endpoint is https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration, however, that returns a doc as below, which has a different issuer than the discovery URL.

{
  "issuer": "https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/",
  "authorization_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/authorize",
  "token_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/token",
  "end_session_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/logout",
  "jwks_uri": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "id_token",
    "id_token token",
    "token",
    "token id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "claims_supported": [
    "name",
    "given_name",
    "family_name",
    "email",
    "sub",
    "tid",
    "iss",
    "iat",
    "exp",
    "aud",
    "acr",
    "nonce",
    "auth_time"
  ]
}

Looking at this issue and the spec, it looks like AAD is not spec compliant.

Is there any way to get this to work or do I have to move to a spec-compliant OIDC provider?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

想挽留 2025-02-18 01:40:36

请尝试配置发行人URL ，包括TFP ，以兼容。

有关更多详细信息，请参见： >令牌兼容性
说：

注释：ISS索赔IE;发行人确定Azure AD B2C的租户
发行了令牌。通常价值是这样的东西
： https：//＆lt; domain＆gt;/{b2c tent guid}/v2.0/

但是我的应用程序或图书馆需要Azure ad B2C为
符合 openID connect connect discovy 1.0 spec ，使用此
https：//＆lt; domain＆gt;/tfp/{b2c tenant guid}/{policy ID}/v2.0/
包括Azure AD B2C租户和用户流的ID
用于代币请求。

例如：

“issuer” : “https://your-tenant-name.b2clogin.com/tfp/c5b2xxxxxxxxx0-8axxxxxx3d3b/B2C_1A_signin/v2.0/”

或

https://{tenantID}.b2clogin.com/tfp/{tenantID}/{policy-name}/v2.0/

参考：

配置Azure Active Directory B2C提供商手动 - Power-Power
应用| Microsoft Doc

Please try to configure issuer URL including tfp for token compatibility.

For more details see: Token compatibility
which says:

Note : iss claim i.e; issuer identifies tenant of azure ad b2c that
issued the token. Usually the value is some thing like this
:https://<domain>/{B2C tenant GUID}/v2.0/

But If your application or library needs Azure AD B2C to be
compliant with the OpenID Connect Discovery 1.0 spec, use this
https://<domain>/tfp/{B2C tenant GUID}/{Policy ID}/v2.0/ as it
includes IDs for both the Azure AD B2C tenant and the user flow that
was used in the token request.

For example:

“issuer” : “https://your-tenant-name.b2clogin.com/tfp/c5b2xxxxxxxxx0-8axxxxxx3d3b/B2C_1A_signin/v2.0/”

https://{tenantID}.b2clogin.com/tfp/{tenantID}/{policy-name}/v2.0/

References:

回复收藏 0 原文

绿萝 2025-02-18 01:40:36

除了 @kavyasaraboju-mt的答案之外，如果您使用的是自定义策略，则必须在 jwtissuer 中将 IssuanceClaimpattern 设置为 pertivere> epertionalwithtfp per 。

例如，在，添加元素＆lt; item key =“ issuanceclaimpattern”＆gt; pertiatewithtfp＆lt;/item gt; 代码>

回复收藏 0 原文

~没有更多了~

关于作者

旧时模样

暂无简介

文章

29 人气

关注发私信

李珊平

文章 0 评论 0

关注

Quxin

文章 0 评论 0

关注

范无咎

文章 0 评论 0

关注

github_ZOJ2N8YxBm

文章 0 评论 0

关注

若言

文章 0 评论 0

关注

南…巷孤猫

文章 0 评论 0

友情链接

文江博客

Azure AD B2C破坏OIDC规格

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

评论（2）

关于作者

相关话题

热门标签

推荐作者

李珊平

Quxin

范无咎

github_ZOJ2N8YxBm

若言

南…巷孤猫

友情链接

Azure AD B2C破坏OIDC规格

如果你对这篇内容有疑问，欢迎到本站社区发帖提问 参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

评论（2）

关于作者

相关话题

热门标签

推荐作者

李珊平

Quxin

范无咎

github_ZOJ2N8YxBm

若言

南…巷孤猫

友情链接

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。