尝试使用OpenID和dotnetopenauth登录Azure，但得到“没有找到OpenID端点”。

Question

我已经搜索过类似的问题，并且复习了所有的问题，但是我没有找到一个能帮助我解决问题的问题。

我试图在Azure AD的遗留webforms应用程序中添加身份验证。另一位开发人员已经添加了OpenID支持，所以我认为让它工作的最简单的方法是在AzureAD中使用OpenID端点，在我们的应用程序中使用现有的代码。然而，我一直未能使它发挥作用。

我不知道问题是否存在于我正在使用的端点URL中，我们用来尝试连接的代码，如何配置AzureAD应用程序，或者对我试图做什么的根本误解。

这应该是一个多租户应用程序，意思是，如果我理解这一点，用户可以登录帐户在我们的Azure广告或其他Azure广告，然后我们的应用程序可以选择授予不授予访问权。但是，我甚至无法让它承认我的目标是一个有效的OpenID端点，更不用说我们自己的Azure的用户登录了。

OpenID代码是使用http://dotnetopenauth.net/编写的，当我们调用CreateRequest()时会发生错误

Using OpenID As New OpenIdRelyingParty
Dim LoginEndpoint = "<azure ad endpoint goes here>"
Dim Request As IAuthenticationRequest = OpenID.CreateRequest(LoginEndpoint)
End Using

对于LoginEndpoint，我已经尝试了我能想到的每一个组合。

作为基线，我用Yahoo first进行了测试，这是可行的。我使用端点https://me.yahoo.com

然后，在MS之后，我找到了https://login.microsoftonline.com/MyEXAMPLE.com/v2.0/.well-known/openid-configuration或https://login.microsoftonline.com/MyEXAMPL-GUID-0000-0000-000000000000/v2.0/.well-known/openid-configuration

在返回的JSON中，我选择了authorization_endpoint，它看起来像https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize

authorization_endpoint是我在上面的代码示例中尝试作为LoginEndpoint传入的。

当这不起作用时，我试着在浏览器中查看雅虎页面和Azure AD authorization_endpoint，而Azure AD one报告了一些缺失的字段，而Yahoo报告了404，所以我猜这些内容不打算直接在浏览器中访问。

但是，为了充分利用所有的可能性，我尝试在查询字符串上传递Azure AD one它想要的值。所以我最终得到了类似于id=CLIENTID-GUID-0000-0000-000000000000&scope=openid的东西

我通过进入Azure并找到我注册的应用程序获得了client_id，我得到了标记为Application的值。我认为我这样做是因为我有另一个工作的应用程序(asp.net核心而不是asp.net框架webforms)，我们使用应用程序ID作为客户机ID，它工作起来了，但是让我知道我是否应该从其他地方获得客户机ID。

无论如何，当我这样做并将其插入浏览器时，它显示了MS登录页面，没有任何错误，但是当我尝试使用代码中的URL作为LoginEndpoint时，它仍然不起作用。

我试着查看Fiddler中的网络流量，这是web服务器在登录Yahoo vs Azure AD时发送和接收的，虽然我发现了一些有趣的东西，但没有找到任何帮助我解决问题的东西。基本上，我想我理解为什么dotnetopenauth.net不喜欢我给它的url，但这并没有帮助我修复它。这不是我的专业领域，但我没有看到dotnetopenauth.net在返回的Headers中“发现”的东西，所以它认为它不是OpenID端点。

接下来，我打开日志，再次尝试使用我的端点url的两个版本，但它并没有显示出任何有用的东西，但可能会对阅读这篇文章的人有所帮助。

2019-01-02 23:26:30,450 (GMT-5) [11] INFO  DotNetOpenAuth - DotNetOpenAuth.Core, Version=4.3.4.13329, Culture=neutral, PublicKeyToken=2780ccd10d57b246 (official)
2019-01-02 23:26:30,450 (GMT-5) [11] INFO  DotNetOpenAuth - DotNetOpenAuth.Core, Version=4.3.4.13329, Culture=neutral, PublicKeyToken=2780ccd10d57b246 (official)
2019-01-02 23:26:30,517 (GMT-5) [11] INFO  DotNetOpenAuth - Reporting will use isolated storage with scope: User, Domain, Assembly
2019-01-02 23:26:30,517 (GMT-5) [11] INFO  DotNetOpenAuth - Reporting will use isolated storage with scope: User, Domain, Assembly
2019-01-02 23:26:34,738 (GMT-5) [11] INFO  DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://localhost:49221/Initial/Login.aspx?ReturnUrl=%2fDashboard.aspx
2019-01-02 23:26:34,738 (GMT-5) [11] INFO  DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://localhost:49221/Initial/Login.aspx?ReturnUrl=%2fDashboard.aspx
2019-01-02 23:26:34,741 (GMT-5) [11] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming HTTP request: GET http://localhost:49221/Initial/Login.aspx?ReturnUrl=%2fDashboard.aspx
2019-01-02 23:26:34,741 (GMT-5) [11] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming HTTP request: GET http://localhost:49221/Initial/Login.aspx?ReturnUrl=%2fDashboard.aspx
2019-01-02 23:26:57,115 (GMT-5) [8] INFO  DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://localhost:49221/Initial/Login.aspx?ReturnUrl=%2f
2019-01-02 23:26:57,115 (GMT-5) [8] INFO  DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://localhost:49221/Initial/Login.aspx?ReturnUrl=%2f
2019-01-02 23:26:57,116 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming HTTP request: GET http://localhost:49221/Initial/Login.aspx?ReturnUrl=%2f
2019-01-02 23:26:57,116 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming HTTP request: GET http://localhost:49221/Initial/Login.aspx?ReturnUrl=%2f
2019-01-02 23:33:39,365 (GMT-5) [10] DEBUG DotNetOpenAuth.OpenId - .NET Uri class path compression overridden.
2019-01-02 23:33:39,365 (GMT-5) [10] DEBUG DotNetOpenAuth.OpenId - .NET Uri class path compression overridden.
2019-01-02 23:33:39,433 (GMT-5) [10] DEBUG DotNetOpenAuth.Http - HTTP GET https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize?client_id=CLIENTID-GUID-0000-0000-000000000000&scope=openid
2019-01-02 23:33:39,433 (GMT-5) [10] DEBUG DotNetOpenAuth.Http - HTTP GET https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize?client_id=CLIENTID-GUID-0000-0000-000000000000&scope=openid
2019-01-02 23:33:39,855 (GMT-5) [10] DEBUG DotNetOpenAuth.Yadis - HTML discovery failed to find any endpoints.
2019-01-02 23:33:39,855 (GMT-5) [10] DEBUG DotNetOpenAuth.Yadis - HTML discovery failed to find any endpoints.
2019-01-02 23:33:39,865 (GMT-5) [10] INFO  DotNetOpenAuth.Yadis - Performing discovery on user-supplied identifier: https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize?client_id=CLIENTID-GUID-0000-0000-000000000000&scope=openid
2019-01-02 23:33:39,865 (GMT-5) [10] INFO  DotNetOpenAuth.Yadis - Performing discovery on user-supplied identifier: https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize?client_id=CLIENTID-GUID-0000-0000-000000000000&scope=openid
2019-01-02 23:33:39,869 (GMT-5) [10] DEBUG DotNetOpenAuth.Yadis - Filtering and sorting of endpoints did not affect the list.
2019-01-02 23:33:39,869 (GMT-5) [10] DEBUG DotNetOpenAuth.Yadis - Filtering and sorting of endpoints did not affect the list.
2019-01-02 23:51:30,214 (GMT-5) [17] DEBUG DotNetOpenAuth.Http - HTTP GET https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize
2019-01-02 23:51:30,214 (GMT-5) [17] DEBUG DotNetOpenAuth.Http - HTTP GET https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize
2019-01-02 23:51:30,492 (GMT-5) [17] DEBUG DotNetOpenAuth.Yadis - HTML discovery failed to find any endpoints.
2019-01-02 23:51:30,492 (GMT-5) [17] DEBUG DotNetOpenAuth.Yadis - HTML discovery failed to find any endpoints.
2019-01-02 23:51:30,493 (GMT-5) [17] INFO  DotNetOpenAuth.Yadis - Performing discovery on user-supplied identifier: https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize
2019-01-02 23:51:30,493 (GMT-5) [17] INFO  DotNetOpenAuth.Yadis - Performing discovery on user-supplied identifier: https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize
2019-01-02 23:51:30,495 (GMT-5) [17] DEBUG DotNetOpenAuth.Yadis - Filtering and sorting of endpoints did not affect the list.
2019-01-02 23:51:30,495 (GMT-5) [17] DEBUG DotNetOpenAuth.Yadis - Filtering and sorting of endpoints did not affect the list.

请让我知道任何额外的信息，你需要，我会补充它。

编辑2019-01-03 5:04PM东方如果我添加ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3

我在我的应用程序中得到了同样的异常，但是日志现在显示了以下错误

2019-01-03 17:00:31,925 (GMT-5) [7] DEBUG DotNetOpenAuth.Http - HTTP GET https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize
2019-01-03 17:00:32,374 (GMT-5) [7] ERROR DotNetOpenAuth.Http - SendFailure connecting to https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize
2019-01-03 17:00:32,374 (GMT-5) [7] ERROR DotNetOpenAuth.Http - SendFailure connecting to https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize
2019-01-03 17:00:32,376 (GMT-5) [7] ERROR DotNetOpenAuth.Yadis - Error while performing discovery on: "https://login.microsoftonline.com/ANOTHER0-GUID-0000-0000-000000000000/oauth2/v2.0/authorize": DotNetOpenAuth.Messaging.ProtocolException: Error occurred while sending a direct message or getting the response. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   --- End of inner exception stack trace ---
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.TlsStream.CallProcessAuthentication(Object state)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at DotNetOpenAuth.Messaging.StandardWebRequestHandler.GetResponse(HttpWebRequest request, DirectWebRequestOptions options)
   --- End of inner exception stack trace ---
   at DotNetOpenAuth.Messaging.StandardWebRequestHandler.GetResponse(HttpWebRequest request, DirectWebRequestOptions options)
   at DotNetOpenAuth.Messaging.UntrustedWebRequestHandler.GetResponse(HttpWebRequest request, DirectWebRequestOptions options)
   at DotNetOpenAuth.Yadis.Yadis.Request(IDirectWebRequestHandler requestHandler, Uri uri, Boolean requireSsl, String[] acceptTypes)
   at DotNetOpenAuth.Yadis.Yadis.Discover(IDirectWebRequestHandler requestHandler, UriIdentifier uri, Boolean requireSsl)
   at DotNetOpenAuth.OpenId.UriDiscoveryService.Discover(Identifier identifier, IDirectWebRequestHandler requestHandler, Boolean& abortDiscoveryChain)
   at DotNetOpenAuth.OpenId.IdentifierDiscoveryServices.Discover(Identifier identifier)
   at DotNetOpenAuth.OpenId.RelyingParty.AuthenticationRequest.Create(Identifier userSuppliedIdentifier, OpenIdRelyingParty relyingParty, Realm realm, Uri returnToUrl, Boolean createNewAssociationsAsNeeded)

通过这一更改，代码如下所示：

Using OpenID As New OpenIdRelyingParty
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3
Dim LoginEndpoint = "<azure ad endpoint goes here>"
Dim Request As IAuthenticationRequest = OpenID.CreateRequest(LoginEndpoint)
End Using

Answer 1

我发这篇文章是为了回答我自己的问题，但我想提醒一下，我不是100%肯定我是对的，但我很确定。

我认为我的问题是DotNetOpenAuth.net (至少是我使用的部分)试图建立一个OpenID 2连接，在这里我试图连接到OpenID连接端点。

当我开始做这件事的时候，我没有意识到这些是不同的，而且吃了很多时间，直到我找到了一个解释。

在DotNetOpenAuth.net Git中，似乎有一个连接到AzureAD端点的示例，但在撰写本文时，它似乎使用了完全不同的代码和对象，这些代码和对象与我在代码中的内容以及在DotNetOpenAuth.net文档中可以找到的内容完全不同。也许我只是找不到，但我哪儿都没看到。

所以我决定，既然我必须使用不同的东西，我只会使用微软的OpenID连接和AzureAD代码。

Answer 2

在调用OpenIdRelyingParty.CreateRequest之前，请尝试将这一行添加到您的网站：

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 ;

如果这有帮助，请告诉我们。我们最近发现，这解决了一些Azure配置的问题。