使用AAD B2C使用Owin.Security.ActiveDiverectory库是正确的方法

我们在同一AAD b2c pentant中有两个应用程序通过" new"one_answers" Old" Portal。

具有"旧"应用程序凭据的身份验证正确。带有"新"应用程序凭据 - 出现错误：

idx10500：签名验证失败。无法解析SecurityKeyIdentifier：'SecurityKeyIdentifier (( isReadonly = false，计数= 1，条款[0] = System.IndesityModel.tokens.NamedKeySecurityKeyKeyIdentifierClause ('

使用Microsoft.OWIN.Security.Activediverector库(用于保护ASP.NET Web API(是正确的方法，并在AAD B2C tent中注册的应用程序。

P.S。我的问题基于这篇文章。

您应该仅在新的Azure Portal(portal.azure.com(中通过Azure AD B2C Blade创建应用程序。

不要使用经典的Azure门户(Manage.windowsazure.com(为Azure AD B2C创建应用程序。

如果要保护WebApp，则应使用Owin的OpenIdConnectAuthentication 。该文档有有关如何执行此操作的更多详细信息：注册＆amp;在ASP.NET Web应用中登录

如果要保护WebAPI，则应使用Owin的OauthBeareraUthentication 。该文档有有关如何执行此操作的更多详细信息：构建.NET Web API

示例WebApp的配置：

public void ConfigureAuth(IAppBuilder app)
{
    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            // Generate the metadata address using the tenant and policy information
            MetadataAddress = String.Format(AadInstance, Tenant, DefaultPolicy),
            // These are standard OpenID Connect parameters, with values pulled from web.config
            ClientId = ClientId,
            RedirectUri = RedirectUri,
            PostLogoutRedirectUri = RedirectUri,
            // Specify the callbacks for each type of notifications
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = OnRedirectToIdentityProvider,
                AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                AuthenticationFailed = OnAuthenticationFailed,
            },
            // Specify the claims to validate
            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name"
            },
            // Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
            Scope = $"{OpenIdConnectScopes.OpenId} {YourScope1} {YourScope2}"
        }
    );
}

示例Web API的配置：

    public void ConfigureAuth(IAppBuilder app)
    {
        TokenValidationParameters tvps = new TokenValidationParameters
        {
            // Accept only those tokens where the audience of the token is equal to the client ID of this app
            ValidAudience = ClientId,
            AuthenticationType = Startup.DefaultPolicy
        };
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
        {
            // This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint
            AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(String.Format(AadInstance, Tenant, DefaultPolicy)))
        });
    }

相关内容

最新更新

热门标签：