我正在尝试将Azure AD B2C ROPC Flow实现到iOS Swift 4应用程序中。我已经按照文档和本示例中的说明进行了操作。我已经替换了以下请求参数:
kIssuer: "https://login.microsoftonline.com/tfp/{Tenant Name}.onmicrosoft.com/{Signin Policy Name}/v2.0"
kIssuerROPC: "https://login.microsoftonline.com/tfp/{tenantName}.onmicrosoft.com/{Resource Owner Policy Name}/v2.0"
kClientId: "{Application ID}"
kRedirectUri: "https://login.microsoftonline.com/tfp/oauth2/nativeclient"
我的additionalParameters如下:
"[
username": "{test email account}",
"password": "{test password}",
"scope": "openid {kClientId} offline_access",
"response_type": "token id_token
]"
我将这样执行方法OIDTokenRequest:
OIDTokenRequest(
configuration: configuration!,
grantType: OIDGrantTypePassword,
authorizationCode: nil,
redirectURL: redirectURI!,
clientID: self.kClientID,
clientSecret: nil,
scope: additionalParameters["scope"],
refreshToken: nil,
codeVerifier: nil,
additionalParameters: additionalParameters
)
我打印出以下消息:
"Performing ROPC with request [%@] <OIDTokenRequest: 0x6000002a17a0, request: <URL:https://login.microsoftonline.com/te/{tenant}.onmicrosoft.com/b2c_1_ropc_auth/oauth2/token, HTTPBody: password=TESTPW&response_type=token%20id_token&scope=openid%KCLIENTID%20offline_access&scope=openid%20KCLIENTID%20offline_access&refresh_token=offline_access&grant_type=password&username=TESTEMAIL&redirect_uri=https://login.microsoftonline.com/tfp/oauth2/nativeclient&client_id=KCLIENTID>>
其中,我已经编码出了TESTEMAIL、TESTPW和KCLIENTID,如前两组参数中所述。
我得到这个错误:
Token request error: "unauthorized_client: AADB2C90248: Resource owner flow can only be used by applications created through the B2C admin portal.
我正在使用我在Azure AD B2C中注册的应用程序的kClientId,它在请求URL中显示了3个不同的时间。我尝试过各种参数组合,但这是我能做到的最远的。
我可能想到的唯一不正常工作的部分是,示例中的kRedirectUri是msalb35a3d9b://oauth/redirect,而本文档中的步骤4具体地说将CCD_ 7的值改变为CCD_。
在我的AADB2C注册申请中,我有2个RedirectURIS:
urn:ietf:wg:oauth:2.0:oobhttps://login.microsoftonline.com/tfp/oauth2/nativeclient
我在info.plist中添加了urn:ietf:wg,但没有任何作用。我仍然会犯同样的错误。
有人能帮我克服这一困难吗?
这是适用于我的配置。
let clientId = "{Application ID}"
let authorizationEndpoint = URL(string: "https://login.microsoftonline.com/{TenantName}.onmicrosoft.com/oauth2/v2.0/authorize?p={ROPC Policy Name}")
let tokenEndpoint = URL(string: "https://login.microsoftonline.com/{TenantName}.onmicrosoft.com/oauth2/v2.0/token?p={ROPC Policy Name}")
let redirectUri = URL(string: "urn:ietf:wg:oauth:2.0:oob")
let configuration = OIDServiceConfiguration(authorizationEndpoint: authorizationEndpoint!, tokenEndpoint: tokenEndpoint!)
let additionalParameters = [
"username": "{Username}",
"password": "{Password}",
"scope": "openid {Application ID} offline_access",
"response_type": "token id_token"
]
let tokenExchangeRequest = OIDTokenRequest(configuration: configuration, grantType: OIDGrantTypePassword, authorizationCode: nil, redirectURL: self.redirectUri!, clientID: self.clientId, clientSecret: nil, scope: nil, refreshToken: nil, codeVerifier: nil, additionalParameters: additionalParameters)
然后执行对令牌的请求。
OIDAuthorizationService.perform(tokenExchangeRequest, callback: { tokenResponse, error in
if tokenResponse == nil {
print("Token request error: %@", error?.localizedDescription as Any)
} else {
print("Received token response with accessToken: %@", tokenResponse?.accessToken as Any)
}
})
您需要确保您达到V2端点,否则您将看到错误。
尝试:
https://login.microsoftonline.com/te/{tenant}.onmicrosoft.com/b2c_1_ropc_auth/oauth2/V2.0/token