我正在开发 ASP.NET Core 8 MVC 应用程序,并使用 Azure AD B2C 进行身份验证管理。以下是我的 appsettings.json 配置:
"AzureAdB2C": {
"Instance": "https://test555.b2clogin.com",
"ClientId": "test555",
"Domain": "test555.onmicrosoft.com",
"SignedOutCallbackPath": "/signout/B2C_1_SignUpSignIn",
"SignUpSignInPolicyId": "B2C_1_SignUpSignIn"
}
这是我配置我的
Startup.cs
的方式:
public void ConfigureServices(IServiceCollection services)
{
services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C")
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["ProsperityPilot:ProsperityPilotScope"] })
.AddInMemoryTokenCaches();
services.AddTransient<IClaimsTransformation, AddRolesClaimsTransformation>();
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI();
services.AddOptions();
services.Configure<OpenIdConnectOptions>(Configuration.GetSection("AzureAdB2C"));
}
到目前为止,一切正常。我可以使用 Azure AD B2C 登录、注册/注销,并进行 API 调用以获取令牌,如下所示:
private async Task PrepareAuthenticatedClient()
{
var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { _todoListScope });
Debug.WriteLine($"access token-{accessToken}");
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
_httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
}
但是,我想使用 IClaimsTransformation 在用户登录时添加一些声明。我编写了以下方法来获取令牌,但出现错误:
AADSTS50049:未知或无效实例。
public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
///...
var token = await GetApplicationTokenAsync();
// search Users by email
var userEmail = principal.Identity.Name;
var user = await _service.GetByEmailAsync(userEmail, token);
///...
return clone;
}
这是我的
GetApplicationTokenAsync
:
private async Task<string> GetApplicationTokenAsync()
{
var clientId = _configuration["AzureAdB2C:ClientId"];
var clientSecret = _configuration["AzureAdB2C:ClientSecret"];
var scope = _configuration["MyApp:MyAppScope"];
var tenant = _configuration["AzureAdB2C:Domain"];
var policy = _configuration["AzureAdB2C:SignUpSignInPolicyId"];
var authority = $"https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0";
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(clientId)
.WithClientSecret(clientSecret)
.WithAuthority(new Uri(authority))
.Build();
var authResult = await app.AcquireTokenForClient(new[] { scope }).ExecuteAsync();
return authResult.AccessToken;
}
您的配置有
{
"Domain": "test555.onmicrosoft.com"
}
然后使用:
var tenant = _configuration["AzureAdB2C:Domain"];
var authority = $"https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0";
这意味着权限最终成为无效值:
https://test555.onmicrosoft.com.b2clogin.com/test555.onmicrosoft.com.onmicrosoft.com/B2C_1_SignUpSignIn/v2.0
注意域中如何有重复的文本吗? 您需要一个仅包含“test555”的配置值,然后它应该可以工作。