Azure AD B2C:将内置流与自定义策略混合并为JWT共享加密密钥 [英] Azure AD B2C: mixing built-in flows with custom policies and sharing encryption keys for JWTs
问题描述
我正在开发一个使用Azure AD B2C和.NET Core API的应用程序.我们正在尝试混合使用内置的用户流和一个自定义策略.内置了用于登录和重置密码的用户流程以及用于注册的自定义策略,因为我们希望遵循此示例应用程序演示的邀请注册流程.
I’m working on an app that uses Azure AD B2C and .NET Core APIs. We are trying to use a mixture of built in user flows and one custom policy. Built in user flows for sign-in and reset password, and a custom policy for sign-up because we want to follow the invitation sign-up flow demonstrated by this sample app.
https://github.com/azure-ad-b2c/samples/blob/master/policies/invite/README.md
我遇到的一个问题是API授权方面.从内置用户流发出的JWT与从自定义邀请策略发出的JWT相比,使用不同的密钥集进行加密和签名.如果我为我的API项目设置B2C权限以引用我的登录流程https://{mytenant} .b2clogin.com/investgradedev.onmicrosoft.com/B2C_1_SI/v2.0,则从登录发出的令牌将被罚款但是从注册发出的令牌未通过授权.如果我设置B2C权限以引用自定义注册策略https://{mytenant} .b2clogin.com/investgradedev.onmicrosoft.com/B2C_1A_signup_invitation/v2.0,那么我遇到了相反的问题.
An issue I’m having is on the API authorization side. The JWTs issued from the built-in user flows are encrypted and signed with a different set of keys than the JWTs issued from the custom invitation policy. If I setup the B2C authority for my API project to reference my sign-in flow https://{mytenant}.b2clogin.com/investgradedev.onmicrosoft.com/B2C_1_SI/v2.0 then tokens issued from sign-in are authorized fine but tokens issued from sign-up fail authorization. If I set the B2C authority to reference the custom sign-up policy https://{mytenant}.b2clogin.com/investgradedev.onmicrosoft.com/B2C_1A_signup_invitation /v2.0, then I have the reverse problem.
- 是否可以使用相同的密钥对来自两个流的令牌进行加密和签名?如果是这样,我该如何设置?
- 我是否应该迫使新用户返回登录流程才能获得有效的令牌?
我是B2C的新手,学习过程非常艰苦,因此非常感谢您提供的任何帮助.
I’m new to B2C and have been on a steep learning curve so any help provided is greatly appreciated.
推荐答案
-
不,你不能.
No you cannot.
这是可能的解决方法.
其他选项,将多个授权添加到API.我以AAD和AAD B2C为例进行了此操作:
Other option, add multiple Authorities into the API. I did this with AAD and AAD B2C as an example:
