使用Azure AD B2C时,JWT中的颁发者完全不同 [英] Issuer within a JWT is slighltly different when using Azure AD B2C
问题描述
您好
我发现了以下问题:
如果有人向租户索取令牌,则重做的JWT包含一个发卡行字段,该字段与元数据中指定的发卡行字段稍有不同,因为它包含一个额外的'/'.
在示例中:https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration
发行者的uri为"https://login.microsoftonline.com/775527ff-9a37-4307-8b3d-cc311f58d925/v2.0",但是返回的令牌包含此uri: " https://login.microsoftonline.com/775527ff-9a37-4307-8b3d-cc311f58d925/v2.0/"
当必须验证令牌的发行者时,这将导致不一致.
最好的问候
毛里西奥·阿古托
Hi
I found the following issue:
If one requests a token from a tenant, the returing JWT contains an issuer field which is slightly different from the one specified in the metadata, because it includes an extra '/'.
In the example: https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration
issuer's uri is "https://login.microsoftonline.com/775527ff-9a37-4307-8b3d-cc311f58d925/v2.0", however the returned token contains this uri : "https://login.microsoftonline.com/775527ff-9a37-4307-8b3d-cc311f58d925/v2.0/"
This will cause an inconsistency when one must verify the token's issuer.
Best regards
Mauricio Agurto
**编辑**我发现返回的值是正确的.它是完全相同的发行者.这是我自己的错误.我使用的是不包含所用策略的URI作为元数据(例如URI +?p = b2c_1signup).但是,它仍然可能会产生误导 某些发行人在交易中加入了"\"最后,有些则没有.
**EDIT ** I found that the returned value is correct. It was the exact same issuer. It was my own mistake. I was using as metadata an URI that didn't include the policy used (eg. URI+?p=b2c_1signup). However, it can still can be misleading that some issuers included a "\" at the end and some others not.
推荐答案
Mauricio,
Hi Mauricio,
很高兴您能够解决您的问题!如果您认为这对其他人有帮助,可以请AAD产品反馈请求吗?
Glad you were able to get your issue resolved! If you think it would be helpful for others to know this, can you please make a request to AAD product feedback?
https://feedback.azure.com/forums/169401-azure-active-directory
https://feedback.azure.com/forums/169401-azure-active-directory
谢谢.
这篇关于使用Azure AD B2C时,JWT中的颁发者完全不同的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!