Azure AD和Azure AD B2C令牌之间的区别 [英] Difference between Azure AD and Azure AD B2C tokens

问题描述

这些天来我一直在研究Azure AD授权代码流，突然开始将所有内容移到Azure AD B2C，并且遇到了Azure AD和Azure AD B2C之间的许多差异.有人可以在下面回答我的问题吗?

I have been working on Azure AD Authorization code flow all these days and suddenly started moving everything to Azure AD B2C and I came across lot of differences between Azure AD and Azure AD B2C. Can Someone answer my questions below.

1. 在Azure AD中，当我们注册本机应用程序时，它允许使用http或https作为重定向URL.Azure AD B2C不支持此功能(因为两者都遵循OAUTH规范，因此两者的行为应相似)

1. In Azure AD when we register a Native App, it allows http or https as redirect urls. Azure AD B2C doesn't support this (Since both follow OAUTH specs both should behave similarly)

Azure AD JWT访问令牌具有 x5c 条目，而B2C没有此条目.任何特殊原因.我尝试从Azure AD复制公用密钥，并尝试将相同的签名密钥上载到B2C，但这没有用.不确定我缺少什么，但我的问题是为什么这些访问令牌的签名不同.

Azure AD JWT access tokens has x5c entry where B2C doesn't have this entry. Any particular reason for this. I tried copying the public keys from Azure AD and tried to upload the same signing keys to B2C but this didn't work. Not sure what I was missing but my question is why these access tokens differ in their signature.

推荐答案

对于第一个问题，我建议您提出反馈意见

For the first issue, I suggest that you rise a feedback from here if you require this feature.

对于第二个问题，验证来自Azure AD B2C和普通Azure AD的令牌是相同的.我们可以使用指数( e )和模数( n )生成公钥.但是密钥端点不同，我们需要使用下面的链接来检索Azure AD B2C的密钥:

And for the second issue, it is same to verify the tokens from Azure AD B2C and normal Azure AD. We can generate the public key using the exponent(e) and modulus(n). But the keys endpoint is different, we need to using the link like below to retrieve the keys for the Azure AD B2C:

https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys?p={signInPolicy}

以下是验证Azure AD B2C发行的令牌的代码，供您参考:

Here is the code to verify the token issued by Azure AD B2C for your reference:

static void Main(string[] args)
{          
    var idtoken = "";

    var exponent = "AQAB";
    var modulus = "";
    var result=  VerifyTokenDetails(idtoken, exponent, modulus);
}
private static bool VerifyTokenDetails(string idToken, string exponent, string modulus)
{
    try
    {              
        var parts = idToken.Split('.');
        var header = parts[0];
        var payload = parts[1];
        string signedSignature = parts[2];
        //Extract user info from payload   
        string userInfo = Encoding.UTF8.GetString(Base64UrlDecode(payload));
        //Which will be Verified
        string originalMessage = string.Concat(header, ".", payload);
        byte[] keyBytes = Base64UrlDecode(modulus);
        string keyBase = Convert.ToBase64String(keyBytes);
        string key = @"<RSAKeyValue> <Modulus>" + keyBase + "</Modulus> <Exponent>" + exponent + "</Exponent> </RSAKeyValue>";
        bool result = VerifyData(originalMessage, signedSignature, key);
        if (result)
            return true;
        else
            return false;
    }
    catch (Exception ex) { }
    return false;
}

/// <summary>  
/// Verifies encrypted signed message with public key encrypted original message.  
/// </summary>  
/// <param name="originalMessage">Original message as string. (Encrypted form)</param>  
/// <param name="signedMessage">Signed message as string. (Encrypted form)</param>  
/// <param name="publicKey">Public key as XML string.</param>  
/// <returns>Boolean True if successful otherwise return false.</returns>  
private static bool VerifyData(string originalMessage, string signedMessage, string publicKey)
{
    bool success = false;
    using (var rsa = new RSACryptoServiceProvider())
    {
        var encoder = new UTF8Encoding();
        byte[] bytesToVerify = encoder.GetBytes(originalMessage);
        byte[] signedBytes = Base64UrlDecode(signedMessage);
        try
        {

            rsa.FromXmlString(publicKey);
            SHA256Managed Hash = new SHA256Managed();
            byte[] hashedData = Hash.ComputeHash(signedBytes);
            // Summary:
            //     Verifies that a digital signature is valid by determining the hash value in the
            //     signature using the provided public key and comparing it to the hash value of
            //     the provided data.
            success = rsa.VerifyData(bytesToVerify, CryptoConfig.MapNameToOID("SHA256"), signedBytes);
        }
        catch (CryptographicException e)
        {
            success = false;
        }
        finally
        {
            rsa.PersistKeyInCsp = false;
        }
    }
    return success;
}

private static byte[] Base64UrlDecode(string input)
{
    var output = input;
    output = output.Replace('-', '+'); // 62nd char of encoding  
    output = output.Replace('_', '/'); // 63rd char of encoding  
    switch (output.Length % 4) // Pad with trailing '='s  
    {
        case 0: break; // No pad chars in this case  
        case 2: output += "=="; break; // Two pad chars  
        case 3: output += "="; break; // One pad char  
        default: throw new System.Exception("Illegal base64url string!");
    }
    var converted = Convert.FromBase64String(output); // Standard base64 decoder  
    return converted;
}

这篇关于Azure AD和Azure AD B2C令牌之间的区别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！