我们已经在Azure B2C中配置了OpenID Connect提供程序,支持'使用PKCE的授权代码流'(不支持隐式流)
这是一个单页angular应用,当用户在登录时选择用户存储时,授权请求会抛出一个错误:invalid_request,错误描述:缺少参数:code_challenge_method
没有通过code_challenge &请求中的code_challenge_method -我错过了什么吗?
另外,OpenId连接提供程序在自定义策略中配置如下,
`<ClaimsProvider>
<DisplayName>User Login</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="OIDC-User">
<DisplayName>User Login</DisplayName>
<Description>Login with your user account</Description>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="METADATA">https://idp/.well-known/openid-configuration</Item>
<Item Key="client_id">clientid</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid email</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AppSecret" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid" />
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
</OutputClaims>
<OutputClaimsTransformations>
<!-- <OutputClaimsTransformation ReferenceId="UserIdentityClaims"/> -->
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>`
如果我只使用IDP而不经过B2C,它工作得很好!
好的,B2C不支持外部IDP的PKCE。作为B2C的原因将被视为OAuth/OIDC的"机密客户"。
授权代码流与客户端秘密工作正常!