Azure AD B2C 令牌问题 [英] Azure AD B2C Token Issue
问题描述
作为一家企业,我们希望使用 Azure AD B2C,我们有内部和外部用户.
As an enterprise, we would like to use Azure AD B2C and we have internal and external users.
Azure AD 帮助我们管理我们的 Azure 用户、企业用户,我们甚至可以通过 x@.onmicrosoft.com 电子邮件添加用户.
Azure AD helps us manage our Azure users, corporate users and we can even add users with x@.onmicrosoft.com emails.
当我们想为我们的消费者使用 Azure AD B2C 时.因此,我们有 2 个选择来添加我们的用户,即 本地用户 和 外部用户(Facebook、Google 等)
When we wanted to use Azure AD B2C for our consumers. So we have 2 choices to add our users which is a local user and an external user (Facebook, Google, etc)
如果本地用户属于我们的公司,则可以使用 Azure AD B2C 门户创建用户.
If the local user belongs to our corporate it is ok to create the user using the Azure AD B2C portal.
但是当我们尝试创建拥有另一种电子邮件的 Azure AD B2C 用户时,我们需要使用我们自己的应用程序,该应用程序正在使用 Graph API.(这是 Azure 门户限制)
But when we try to create the Azure AD B2C users who have another kind of emails, we need to use our own app which is consuming the Graph API. (that is the Azure portal restriction)
问题是我们很难在登录后获取用户值,因为他们是使用 Gmail 或 x 电子邮件的本地用户.
The issue is we are having a hard time getting the users values after the login is they are local users with Gmail or x emails.
我们正在使用 MSAL 而不是 ADAL 来获取相关信息.
We are using MSAL to get the related information instead of ADAL.
我们已启用 范围 并启用了 API 访问,但这是我们遇到的错误.
We have enabled the scopes and also enabled the API Access but this is the errors we are getting.
获取弹窗:AADB2C90055:请求中提供的范围openid email openid profile"必须指定一个资源,例如https://example.com/calendar.read'.
acquiring the popup: AADB2C90055: The scope 'openid email openid profile' provided in request must specify a resource, such as 'https://example.com/calendar.read'.
相关 ID:86d6ff41-1cef-4ba1-9b26-2aa281c92ccd
Correlation ID: 86d6ff41-1cef-4ba1-9b26-2aa281c92ccd
时间戳:2017-09-15 10:22:20Z
Timestamp: 2017-09-15 10:22:20Z
invalid_request 登录时出错:AADB2C90117:请求中提供的范围user_impersonation"不受支持.
invalid_request Error during login: AADB2C90117: The scope 'user_impersonation' provided in the request is not supported.
相关 ID:785c6487-cd7f-4750-a769-deb477cb4ba4
Correlation ID: 785c6487-cd7f-4750-a769-deb477cb4ba4
时间戳:2017-09-15 10:32:39Z
Timestamp: 2017-09-15 10:32:39Z
:invalid_request
:invalid_request
获取弹出窗口时出错:AADB2C90055:请求中提供的范围 'email openid profile' 必须指定资源,例如 'https://example.com/calendar.read'.
Error acquiring the popup: AADB2C90055: The scope 'email openid profile' provided in request must specify a resource, such as 'https://example.com/calendar.read'.
相关 ID:bd714482-8534-473e-94bc-0a4c56da686d
Correlation ID: bd714482-8534-473e-94bc-0a4c56da686d
时间戳:2017-09-15 10:36:15Z
Timestamp: 2017-09-15 10:36:15Z
:invalid_request
:invalid_request
推荐答案
Error1和Error3
当我们使用 MSAL 库与 Azure AD B2C 交互时,无需提供范围 openid profile offline_access.SDK 将自动添加范围.我们只需要提供我们为 Azure AD B2C 刀片上的 Web API 应用程序注册定义的自定义范围.
Error1 and Error3
There is no need to provide scope openid profile offline_access when we using MSAL library to interact with Azure AD B2C. The SDK will add there scope automatically. We only need to provider the custom scope we defined for the web API app register on Azure AD B2C blade.
范围 user_impersonation 是应用默认定义的自定义范围.我们应该在它之前包含应用 ID URI(https://{myB2CTenant}.onmicrosoft.com/b2capp2),如下所示:
The scope user_impersonation is an custom scope defined by the app by default. We should contain the app id URI(https://{myB2CTenant}.onmicrosoft.com/b2capp2) before it like below:
string[] SCOPES = { "https://{myB2CTenant}.onmicrosoft.com/b2capp2/note_read", "https://{myB2CTenant}.onmicrosoft.com/b2capp2/user_impersonation" };
而且据我所知,Azure AD B2C 目前不支持委托用户访问 Azure 广告图.我们需要通过 Azure Active Directory-> 应用程序注册(不在 Azure AD B2C 刀片中)注册应用程序,并通过客户端凭据流访问 Microsoft 或 Azure AD Graph.这是在 Azure AD B2C 中调用 Graph API 的有用链接:
And AFAIK, the Azure AD B2C doesn't support delegate the user to access the Azure ad Graph at present. We need to register an app via Azure Active Directory->App registrations(not in Azure AD B2C blade) and access the Microsoft or Azure AD Graph via the client credentials flow. Here is a helpful link calling the Graph API in Azure AD B2C:
如果您希望 Azure AD B2C 应用也支持委派用户调用 Microsoft Graph,您可以从 这里.
If you want the Azure AD B2C app also support delegating user to calling the Microsoft Graph, you may submit the feedback from here.
这篇关于Azure AD B2C 令牌问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
