您如何使用MSAL对AAD B2C进行身份验证? [英] How do you authenticate AAD B2C using MSAL?

问题描述

我有一个使用ADAL的客户端/服务器身份验证的工作版本.但是，当您要使用本地帐户时，B2C AAD似乎不能与ADAL很好地配合使用(也就是说，仅用户名或仅具有AAD之外没有后备身份验证器的电子邮件地址).看来我们应该用于本地帐户的API是MSAL的Alpha版本.到目前为止，一切都很好.我可以使用Graph API并使用以下代码创建本地用户，我似乎正在对本地用户'joeconsumer@mycompany.com'进行身份验证:

I have a working version of a Client/Server authentication using ADAL. However, it appears that the B2C AAD doesn't work well with ADAL when you want to use Local Accounts (that is, just a username or just an email address with no backing authenticator other than AAD). It appears the API we should be using for Local Accounts is the alpha release of MSAL. So far, so good. I'm able to create a local user using the Graph API and using the following code, I appear to be authenticating the local user 'joeconsumer@mycompany.com':

        this.pca = new PublicClientApplication("a4828eaa-42f6-418a-8062-f857130b69ce");
        AuthenticationResult result = await this.pca.AcquireTokenAsync(
            new string[] { "a4828eaa-42f6-418a-8062-f857130b69ce" },
            string.Empty,
            UiOptions.ForceLogin,
            null,
            null,
            "https://login.microsoftonline.com/" + "darkbondpublic.onmicrosoft.com",
            "B2C_1_sign-in");

问题是我使用WCF中的自定义安全令牌机制将安全令牌从"result.Token"传递回服务器.服务器上用于ADAL的代码似乎不再接受上述调用中的安全令牌:

The problem is that I pass the security token from 'result.Token' back to the server using a custom security token mechanism in WCF. The code on the server, which used to work with ADAL, no longer seems to accept the security token from the above call:

JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
Microsoft.IdentityModel.Tokens.SecurityToken securityToken = null;
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(userName, this.GetTokenValidationParameters(MetadataAddress), out securityToken);
Thread.CurrentPrincipal = claimsPrincipal;

错误消息是:

谁能告诉我这是怎么回事?我需要在服务器上进行身份验证的其他方法吗?

Can anyone tell me what is going on here? Do I need a different method of authenticating on the server?

推荐答案

您为Azure AD B2C租户配置的元数据终结点不正确.这是正确的供您参考:

The metadata endpoint you config for Azure AD B2C tenant is incorrect. Here is the correct one for your reference:

https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration?p=B2C_1_Sign_In

我们可以从新的Azure门户中找到特定策略的元数据，如下图所示.

We can find the metadata for the specific policy from the new Azure portal like figure below.

并且在元数据中应该能够看到键的端点，如下所示:

And in the metadata should able to see the keys endpoint like below:

https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys?p={policy}

我们可以找到带有孩子gfIKIH-yZ3phRHRyjnsHIqZMaePLGAELzPat0CNY4sA的钥匙，如下图所示:

We can find the key with kid gfIKIH-yZ3phRHRyjnsHIqZMaePLGAELzPat0CNY4sA like below figure:

这篇关于您如何使用MSAL对AAD B2C进行身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！