AWS Cognito中的Microsoft OIDC允许多个租户 [英] Microsoft oidc in AWS Cognito allowing multiple tenants
问题描述
我正在尝试使用AWS Cognito用户池中的Microsoft帐户实施社交登录.
我遵循了该线程中提到的文档和解决方案: https://forums.aws.amazon.com/thread.jspa?threadID = 287376& tstart = 0
我的问题是将发布者设置为允许多个租户.
此发行人仅适用于私人帐户:
https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0
此发行人仅适用于我们目录(租户)中的帐户: https://login.microsoftonline.com/AZURE_ACTIVE_DIRECTORY/v2.0
此发行者根本不工作.使用Microsoft登录后出现严重的发卡人错误或错误的请求: https://login.microsoftonline.com/common/v2.0
我需要有一个可以为任何Microsoft帐户(所有租户)使用的oidc提供程序,甚至可能吗?
如果我在AWS Cognito oidc配置中将颁发者租户设置为common,那么这将启动正确的Microsoft流程,但是我认为在Cognito中对颁发者的检查失败,因为Microsoft始终将jwt令牌内的特定租户ID作为以下内容的一部分返回发行人.
我检查过的Microsoft文档中的其他信息:
https://docs.microsoft.com/de-de/azure/active-directory/develop/v2-protocols-oidc https://docs.microsoft.com/de-de/azure/active-directory/develop/id-tokens
我通过避免使用userpool并直接与azure端点进行交互来避免了这个(租户/签发人)问题https://forums.aws.amazon.com/thread.jspa?threadID=287376&tstart=0
My problem is with setting the issuer to allow multiple tenants.
This issuer works only for private accounts:
https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0
This issuer works only for accounts in our directory (tenant): https://login.microsoftonline.com/AZURE_ACTIVE_DIRECTORY/v2.0
This issuer does not work at all. I get bad issuer error or bad request after sign in with Microsoft: https://login.microsoftonline.com/common/v2.0
I need to have one oidc provider that will work for any Microsoft account (all tenants) is that even possible?
If I set issuer tenant to common in the AWS Cognito oidc config, then this starts the correct Microsoft flow, but I assume the check for issuer in Cognito fails because Microsoft always returns the specific tenant id inside the jwt token as part of the issuer.
Additional info from microsoft documentation I have checked:
https://docs.microsoft.com/de-de/azure/active-directory/develop/v2-protocols-oidc
https://docs.microsoft.com/de-de/azure/active-directory/develop/id-tokens
I avoided this (tenancy/issuer) problem by avoiding usage of the userpool, and directly interacting with the azure endpoints https://login.microsoftonline.com/common/oauth2/v2.0/authorize etc..
I still have to use the identitypool, to map to IAM role.
Understandably, this is more work than having the userpool handle token stuff, but this is the only way I found it to work with all azure ad accounts.
这篇关于AWS Cognito中的Microsoft OIDC允许多个租户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!