Azure AD B2C令牌发行 [英] Azure AD B2C Token Issue
问题描述
作为企业,我们希望使用 Azure AD B2C ,并且我们拥有内部和外部用户.
As an enterprise, we would like to use Azure AD B2C and we have internal and external users.
Azure AD帮助我们管理Azure用户,公司用户,甚至可以通过x @ .onmicrosoft.com电子邮件添加用户.
Azure AD helps us manage our Azure users, corporate users and we can even add users with x@.onmicrosoft.com emails.
当我们想为消费者使用Azure AD B2C时.因此,我们有2个选择来添加我们的用户,即本地用户和外部用户(Facebook,Google等)
When we wanted to use Azure AD B2C for our consumers. So we have 2 choices to add our users which is a local user and an external user (Facebook, Google, etc)
如果本地用户属于我们公司,则可以使用Azure AD B2C门户创建用户.
If the local user belongs to our corporate it is ok to create the user using the Azure AD B2C portal.
但是,当我们尝试创建有另一种电子邮件的Azure AD B2C用户时,我们需要使用自己的使用Graph API的应用程序. (这是Azure门户限制)
But when we try to create the Azure AD B2C users who have another kind of emails, we need to use our own app which is consuming the Graph API. (that is the Azure portal restriction)
问题是,在登录用户是使用Gmail或x电子邮件的本地用户之后,我们很难获得用户的值.
The issue is we are having a hard time getting the users values after the login is they are local users with Gmail or x emails.
我们正在使用MSAL而不是ADAL获取相关信息.
We are using MSAL to get the related information instead of ADAL.
我们已经启用了作用域,还启用了API访问权限,但这是我们遇到的错误.
We have enabled the scopes and also enabled the API Access but this is the errors we are getting.
获取弹出窗口: AADB2C90055:请求中提供的范围"openid电子邮件openid个人资料"必须指定资源,例如" https://example .com/calendar.read ".
acquiring the popup: AADB2C90055: The scope 'openid email openid profile' provided in request must specify a resource, such as 'https://example.com/calendar.read'.
相关ID:86d6ff41-1cef-4ba1-9b26-2aa281c92ccd
Correlation ID: 86d6ff41-1cef-4ba1-9b26-2aa281c92ccd
时间戳:2017-09-15 10:22:20Z
Timestamp: 2017-09-15 10:22:20Z
invalid_request登录期间出错: AADB2C90117:请求中提供的范围"user_impersonation"不受支持.
invalid_request Error during login: AADB2C90117: The scope 'user_impersonation' provided in the request is not supported.
相关ID:785c6487-cd7f-4750-a769-deb477cb4ba4
Correlation ID: 785c6487-cd7f-4750-a769-deb477cb4ba4
时间戳:2017-09-15 10:32:39Z
Timestamp: 2017-09-15 10:32:39Z
:invalid_request
:invalid_request
获取弹出窗口时出错: AADB2C90055:请求中提供的范围电子邮件openid配置文件"必须指定资源,例如" https://example. com/calendar.read ".
Error acquiring the popup: AADB2C90055: The scope 'email openid profile' provided in request must specify a resource, such as 'https://example.com/calendar.read'.
相关ID:bd714482-8534-473e-94bc-0a4c56da686d
Correlation ID: bd714482-8534-473e-94bc-0a4c56da686d
时间戳:2017-09-15 10:36:15Z
Timestamp: 2017-09-15 10:36:15Z
:invalid_request
:invalid_request
推荐答案
Error1和Error3
当我们使用MSAL库与Azure AD B2C进行交互时,无需提供范围openid profile offline_access. SDK会自动在其中添加范围.我们只需要提供我们为Azure AD B2C刀片上的Web API应用程序注册定义的自定义范围.
Error1 and Error3
There is no need to provide scope openid profile offline_access when we using MSAL library to interact with Azure AD B2C. The SDK will add there scope automatically. We only need to provider the custom scope we defined for the web API app register on Azure AD B2C blade.
范围user_impersonation是默认情况下由应用定义的自定义范围.我们应该在它之前包含应用程序ID URI(https://{myB2CTenant}.onmicrosoft.com/b2capp2),如下所示:
The scope user_impersonation is an custom scope defined by the app by default. We should contain the app id URI(https://{myB2CTenant}.onmicrosoft.com/b2capp2) before it like below:
string[] SCOPES = { "https://{myB2CTenant}.onmicrosoft.com/b2capp2/note_read", "https://{myB2CTenant}.onmicrosoft.com/b2capp2/user_impersonation" };
还有AFAIK,Azure AD B2C目前不支持委派用户访问Azure广告图.我们需要通过Azure Active Directory->应用程序注册来注册应用程序(不在Azure AD B2C刀片服务器中),然后通过客户端凭据流访问Microsoft或Azure AD Graph.这是一个有用的链接,用于在Azure AD B2C中调用Graph API:
And AFAIK, the Azure AD B2C doesn't support delegate the user to access the Azure ad Graph at present. We need to register an app via Azure Active Directory->App registrations(not in Azure AD B2C blade) and access the Microsoft or Azure AD Graph via the client credentials flow. Here is a helpful link calling the Graph API in Azure AD B2C:
如果您希望Azure AD B2C应用程序还支持委派用户调用Microsoft Graph,则可以从
If you want the Azure AD B2C app also support delegating user to calling the Microsoft Graph, you may submit the feedback from here.
这篇关于Azure AD B2C令牌发行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
