Azure AD B2C:兑换机密授予时,客户端必须发送client_secret [英] Azure AD B2C: Clients must send a client_secret when redeeming a confidential grant
问题描述
我尝试使用授权代码和Azure AD B2C(客户端上的oidc客户端)为Angular应用设置身份验证,但是我从Angular收到了这些错误:
I try to setup authentification for an Angular app using authorization code and Azure AD B2C (oidc-client on client side), but I'm getting these errors from Angular:
在查看B2C审核日志后,我发现以下错误消息:
After looking in B2C audit logs, I found this error message:
客户在兑换机密授权时必须发送client_secret.
Clients must send a client_secret when redeeming a confidential grant.
这是我的客户端配置:
const settings = {
stsAuthority: 'https://supportodqqcdev.b2clogin.com/supportodqqcDev.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignUpSignInOdqPlatine',
clientId: '8447df5b-35a0-40a7-944f-5dcce87a2193',
clientRoot: 'https://localhost:4200',
scope: 'openid https://supportodqqcDev.onmicrosoft.com/platineclientdev/read',
};
this.userManager = new UserManager({
authority: settings.stsAuthority,
client_id: settings.clientId,
redirect_uri: `${settings.clientRoot}/signin-callback`,
scope: settings.scope,
response_type: 'code',
post_logout_redirect_uri: `${settings.clientRoot}/signout-callback`,
automaticSilentRenew: true,
silent_redirect_uri: `${settings.clientRoot}/assets/signin-silent-callback.html`,
});
如果我将上述配置切换为使用本地IdentityServer实例,则一切正常.
If I switch the above configuration to use a local IdentityServer instance, everthings works has expected.
有人可以指出我应该在哪里或如何进行调查吗?
Is someone able to point me out where or how I should investigate this?
推荐答案
我遇到了与您完全相同的问题,并且能够解决该问题.
I had the exact same issue as you and was just able to resolve it.
AD正在向您请求client_secret,因为尚未为PKCE配置它.若要告诉AD您要对特定的重定向URL使用PKCE,则需要将其类型从'Web'
设置为'Spa'
.这可以在清单中完成.
AD is requesting the client_secret from you, because it isn't configured for PKCE yet. To tell AD that you want to use PKCE for a specific redirect url you need to set its type from 'Web'
to 'Spa'
. This can be done in the manifest.
在清单中搜索属性replyUrlsWithType
,然后找到您的.../signin-callback
网址.将其类型更改为'Spa'
,您应该会很好.
Search for the property replyUrlsWithType
in the Manifest and look for your .../signin-callback
url. Change its type to 'Spa'
and you should be good.
例如:
"replyUrlsWithType": [
{
"url": "http://localhost:8080/signin-callback",
"type": "Spa"
},
]
配置的URL现在将从授权"页面中消失,但是没关系->它仍在清单中. MS团队正在研究这种新类型.
The configured url will now disappear from your Authorization page but thats ok -> it's still present in the Manifest. The MS team is working on this new type.
还请确保将您的应用程序标记为公共客户端.
Also make sure you marked your application as a public client.
有关更多信息,请在这里查看我的答案: Active Directory是否不支持PKCE的授权代码流?
For more information, see my answer here: Is Active Directory not supporting Authorization Code Flow with PKCE?
这篇关于Azure AD B2C:兑换机密授予时,客户端必须发送client_secret的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!