Azure B2C -自定义策略-连接标识提供程序时出错
Azure B2C -自定义策略-连接标识提供程序时出错
提问于 2019-11-29 19:18:09
按照https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom?tabs=applications上的步骤,我一直在尝试为Azure AD B2C添加一个自定义策略,以便与Autodesk Forge连接。
我为Facebook的ClaimsProvider修改了以下代码:
<ClaimsProvider>
<!-- The following Domain element allows this profile to be used if the request comes with domain_hint
query string parameter, e.g. domain_hint=facebook.com -->
<Domain>autodesk.com</Domain>
<DisplayName>AutodeskForge</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="FORGE-OAUTH">
<!-- The text in the following DisplayName element is shown to the user on the claims provider
selection screen. -->
<DisplayName>Forge</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="authorization_endpoint">https://developer.api.autodesk.com/authentication/v1/authorize</Item>
<Item Key="AccessTokenEndpoint">https://developer.api.autodesk.com/authentication/v1/gettoken</Item>
<Item Key="ClaimsEndpoint">https://developer.api.autodesk.com/userprofile/v1/users/@me</Item>
<Item Key="ProviderName">AutodeskForge</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<!-- The Facebook required HTTP GET method, but the access token response is in JSON format from 3/27/2017 -->
<Item Key="AccessTokenResponseFormat">json</Item>
<Item Key="ClaimsEndpointFormat">json</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_ForgeSecret" />
</CryptographicKeys>
<InputClaims />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="userId" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="firstName" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="lastName" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="userName" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="emailId" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="autodesk.com" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>并且还替换了从Facebook-OAUTH到FORGE_OAUTH的用户旅程中的声明提供者id。
运行时,它确实会正确重定向到Autodesk Forge authorize端点,但随后在尝试连接到identity provider时会失败,并返回以下错误:
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: 188d934d-f1f0-48c5-98c4-917b032b94d2
Timestamp: 2019-11-29 10:54:49Z
我对AAD B2C的使用经验不是很丰富,但似乎在某些时候我只是错过了一个步骤。
添加Application Insight时,trace日志会输出以下内容:
[
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "99e13295-a206-449c-b011-a33422112b29",
"EventInstance": "Event:ClaimsExchange",
"TenantId": "alvarob2c.onmicrosoft.com",
"PolicyId": "B2C_1A_signup_signin"
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "ClaimsExchange",
"StateName": "Initial"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.ClaimsExchangeMessageValidationHandler"
},
{
"Kind": "Transition",
"Content": {
"EventName": "ClaimsExchange",
"StateName": "Microsoft.Cpim.Protocols.PartnerProtocolException"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsPartnerErrorReachesMaximumRetriesHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"MACHSTATE": {
"c": "2019-11-29T11:07:31.6899756Z",
"k": "MACHSTATE",
"v": "Microsoft.Cpim.Protocols.PartnerProtocolException",
"p": true
},
"JC": {
"c": "2019-11-29T11:07:27.797697Z",
"k": "JC",
"v": "en-US",
"p": true
},
"ORCH_CS": {
"c": "2019-11-29T11:07:27.953952Z",
"k": "ORCH_CS",
"v": "2",
"p": true
},
"ORCH_IDX": {
"c": "2019-11-29T11:07:27.953952Z",
"k": "ORCH_IDX",
"v": "0",
"p": true
},
"RA": {
"c": "2019-11-29T11:07:27.953952Z",
"k": "RA",
"v": "0",
"p": true
},
"RPP": {
"c": "2019-11-29T11:07:27.797697Z",
"k": "RPP",
"v": "OAUTH2",
"p": true
},
"RPIPP": {
"c": "2019-11-29T11:07:27.797697Z",
"k": "RPIPP",
"v": "OAuth2ProtocolProvider",
"p": true
},
"OTID": {
"c": "2019-11-29T11:07:27.797697Z",
"k": "OTID",
"v": "alvarob2c.onmicrosoft.com",
"p": true
},
"IC": {
"c": "2019-11-29T11:07:27.9383272Z",
"k": "IC",
"v": "True",
"p": true
},
"MSG(283863a3-02dd-4c87-b4ae-2500a398fed4)": {
"c": "2019-11-29T11:07:27.9383272Z",
"k": "MSG(283863a3-02dd-4c87-b4ae-2500a398fed4)",
"v": "{\"TenantId\":\"alvarob2c.onmicrosoft.com\",\"PolicyId\":\"B2C_1A_signup_signin\",\"RedirectUri\":\"https://jwt.ms/\",\"AdditionalParameters\":{\"p\":\"B2C_1A_signup_signin\"},\"Nonce\":\"defaultNonce\",\"ClientId\":\"4b03fe96-24d9-40b5-b01d-c45b95422b31\",\"ResponseType\":\"id_token\",\"ResponseRedirector\":{\"URI\":\"https://jwt.ms\",\"D\":false,\"WF\":true,\"R\":false},\"Scope\":\"openid\",\"AppModelVersion\":1,\"ScopedProviders\":[]}",
"p": true,
"t": "OAuth2"
},
"IMESSAGE": {
"c": "2019-11-29T11:07:27.9383272Z",
"k": "IMESSAGE",
"v": "283863a3-02dd-4c87-b4ae-2500a398fed4",
"p": true
},
"TAGE": {
"c": "2019-11-29T11:07:31.5024363Z",
"k": "TAGE",
"v": "ForgeExchange",
"p": true
},
"SE": {
"c": "2019-11-29T11:07:27.953952Z",
"k": "SE",
"v": "Social",
"p": true
},
"CMESSAGE": {
"c": "2019-11-29T11:07:31.3461838Z",
"k": "CMESSAGE",
"v": "283863a3-02dd-4c87-b4ae-2500a398fed4",
"p": true
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX, M_EXCP"
},
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsPartnerReauthenticateActionHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsPartnerClientInvalidActionHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.NoOpHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "True"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.SSO.SSOSessionEndHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.SendErrorHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "SendErrorTechnicalProfile",
"Value": "OAuth2ProtocolProvider"
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "We encountered an error connecting to the identity provider. Please try again later.",
"Data": {
"IsPolicySpecificError": false
}
}
}
]
},
"Statebag": {
"SE": {
"c": "2019-11-29T11:07:31.6899756Z",
"k": "SE",
"v": "",
"p": true
}
}
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.TransactionEndHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
}
]回答 2
Stack Overflow用户
发布于 2020-06-29 21:17:25
我也收到了这个错误,因为我传递给身份提供者的客户端ID没有被授权给我发送给它的重定向URI。我复制了一个自定义策略,并保留了原始策略的客户端ID,在IDP中,该策略被授权仅重定向到原始策略。
Stack Overflow用户
发布于 2021-05-27 05:19:45
我用不同的IDP有相同的错误/症状,但我的根本原因是不同的。在我的例子中,我的B2C策略是使用GET而不是POST发送令牌请求,而IDP服务器只支持POST。为了纠正这一点,我必须在我的OAuth2技术概要的元数据部分设置以下内容。
<Item Key="HttpBinding">POST</Item>页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/59103799
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号