错误 AADSTS50049:使用 Azure AD B2C 的 ASP.NET Core 8 MVC 中出现“未知或无效实例”

问题描述 投票:0回答:1

我正在开发 ASP.NET Core 8 MVC 应用程序,并使用 Azure AD B2C 进行身份验证管理。以下是我的 appsettings.json 配置:

"AzureAdB2C": {
  "Instance": "https://test555.b2clogin.com",
  "ClientId": "test555",
  "Domain": "test555.onmicrosoft.com",
  "SignedOutCallbackPath": "/signout/B2C_1_SignUpSignIn",
  "SignUpSignInPolicyId": "B2C_1_SignUpSignIn"
}

这是我配置我的

Startup.cs
的方式:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C")
            .EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["ProsperityPilot:ProsperityPilotScope"] })
            .AddInMemoryTokenCaches();

    services.AddTransient<IClaimsTransformation, AddRolesClaimsTransformation>();

    services.AddControllersWithViews(options =>
    {
        var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .Build();
        options.Filters.Add(new AuthorizeFilter(policy));
    }).AddMicrosoftIdentityUI();

    services.AddOptions();
    services.Configure<OpenIdConnectOptions>(Configuration.GetSection("AzureAdB2C"));
}

到目前为止,一切正常。我可以使用 Azure AD B2C 登录、注册/注销,并进行 API 调用以获取令牌,如下所示:

private async Task PrepareAuthenticatedClient()
{
    var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { _todoListScope });
    Debug.WriteLine($"access token-{accessToken}");
    _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
    _httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
}

但是,我想使用 IClaimsTransformation 在用户登录时添加一些声明。我编写了以下方法来获取令牌,但出现错误:

AADSTS50049:未知或无效实例。

 public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
 {
     
    ///...

     var token = await GetApplicationTokenAsync();

     // search Users by email
     var userEmail = principal.Identity.Name;
     var user = await _service.GetByEmailAsync(userEmail, token);

     ///...

     return clone;
 }

这是我的

GetApplicationTokenAsync

private async Task<string> GetApplicationTokenAsync()
{
    var clientId = _configuration["AzureAdB2C:ClientId"];
    var clientSecret = _configuration["AzureAdB2C:ClientSecret"];
    var scope = _configuration["MyApp:MyAppScope"];
    var tenant = _configuration["AzureAdB2C:Domain"];
    var policy = _configuration["AzureAdB2C:SignUpSignInPolicyId"]; 

    var authority = $"https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0";

    IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(clientId)
        .WithClientSecret(clientSecret)
        .WithAuthority(new Uri(authority))
        .Build();

    var authResult = await app.AcquireTokenForClient(new[] { scope }).ExecuteAsync();
    return authResult.AccessToken;
}

问题:

  1. 使用 Azure AD B2C 在 ASP.NET Core 8 MVC 应用程序中配置获取令牌的权限的正确方法是什么?
  2. 我需要配置单独的 DownstreamApi 吗?如果是这样,我应该如何正确设置?
c# asp.net-core azure-ad-b2c identity
1个回答
0
投票

您的配置有

{
  "Domain": "test555.onmicrosoft.com"
}

然后使用:

var tenant = _configuration["AzureAdB2C:Domain"];
var authority = $"https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0";

这意味着权限最终成为无效值:

https://test555.onmicrosoft.com.b2clogin.com/test555.onmicrosoft.com.onmicrosoft.com/B2C_1_SignUpSignIn/v2.0

注意域中如何有重复的文本吗? 您需要一个仅包含“test555”的配置值,然后它应该可以工作。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.