Azure AD B2C:兑换机密授予时，客户端必须发送client_secret [英] Azure AD B2C: Clients must send a client_secret when redeeming a confidential grant

问题描述

我尝试使用授权代码和Azure AD B2C(客户端上的oidc客户端)为Angular应用设置身份验证，但是我从Angular收到了这些错误:

I try to setup authentification for an Angular app using authorization code and Azure AD B2C (oidc-client on client side), but I'm getting these errors from Angular:

在查看B2C审核日志后，我发现以下错误消息:

After looking in B2C audit logs, I found this error message:

客户在兑换机密授权时必须发送client_secret.

Clients must send a client_secret when redeeming a confidential grant.

这是我的客户端配置:

const settings = {
  stsAuthority: 'https://supportodqqcdev.b2clogin.com/supportodqqcDev.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignUpSignInOdqPlatine',
  clientId: '8447df5b-35a0-40a7-944f-5dcce87a2193',
  clientRoot: 'https://localhost:4200',
  scope: 'openid https://supportodqqcDev.onmicrosoft.com/platineclientdev/read',
};
this.userManager = new UserManager({
  authority: settings.stsAuthority,
  client_id: settings.clientId,
  redirect_uri: `${settings.clientRoot}/signin-callback`,
  scope: settings.scope,
  response_type: 'code',
  post_logout_redirect_uri: `${settings.clientRoot}/signout-callback`,
  automaticSilentRenew: true,
  silent_redirect_uri: `${settings.clientRoot}/assets/signin-silent-callback.html`,
});

如果我将上述配置切换为使用本地IdentityServer实例，则一切正常.

If I switch the above configuration to use a local IdentityServer instance, everthings works has expected.

有人可以指出我应该在哪里或如何进行调查吗?

Is someone able to point me out where or how I should investigate this?

推荐答案

我遇到了与您完全相同的问题，并且能够解决该问题.

I had the exact same issue as you and was just able to resolve it.

AD正在向您请求client_secret，因为尚未为PKCE配置它.若要告诉AD您要对特定的重定向URL使用PKCE，则需要将其类型从'Web'设置为'Spa'.这可以在清单中完成.

AD is requesting the client_secret from you, because it isn't configured for PKCE yet. To tell AD that you want to use PKCE for a specific redirect url you need to set its type from 'Web' to 'Spa'. This can be done in the manifest.

在清单中搜索属性replyUrlsWithType，然后找到您的.../signin-callback网址.将其类型更改为'Spa'，您应该会很好.

Search for the property replyUrlsWithType in the Manifest and look for your .../signin-callback url. Change its type to 'Spa' and you should be good.

例如:

"replyUrlsWithType": [
    {
        "url": "http://localhost:8080/signin-callback",
        "type": "Spa"
    },
]

配置的URL现在将从授权"页面中消失，但是没关系->它仍在清单中. MS团队正在研究这种新类型.

The configured url will now disappear from your Authorization page but thats ok -> it's still present in the Manifest. The MS team is working on this new type.

还请确保将您的应用程序标记为公共客户端.

Also make sure you marked your application as a public client.

有关更多信息，请在这里查看我的答案: Active Directory是否不支持PKCE的授权代码流?

For more information, see my answer here: Is Active Directory not supporting Authorization Code Flow with PKCE?

这篇关于Azure AD B2C:兑换机密授予时，客户端必须发送client_secret的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！