问题描述
在天蓝色的B2C中是否有一个/ common端点可以用来验证由多个Azure B2C租户发出的令牌,就像在正常的天蓝色的AD中一样:(https://login.microsoftonline.com/common/.well-known/openid-configuration)?
正常azure AD的jwt令牌验证示例:
<validate-jwt header-name="authorization" failed-validation-httpcode="401" failed-validation-error-message="GWT FAIL" output-token-variable-name="jwt">
<openid-config url="https://login.microsoftonline.com/common/.well-known/openid-configuration" />
</validate-jwt>
致谢
解决方法
不,没有。每个租户都是他们自己的身份提供者,没有常规AAD中的“多路复用器”。
,在B2C中,如果您配置技术资料以从天蓝色广告中返回access_token,则可以使用iss
中存在的颁发者声明access_token
来查找颁发者并将其用于jwt验证。 sample展示了如何返回访问令牌。
例如,下面的技术资料会返回一个access_token <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
,其声明iss
的值为"https://sts.windows.net/12340-123120-112112323/"
,可用于验证令牌。
<TechnicalProfiles>
<TechnicalProfile Id="AzureADProfile_issueAADtoken">
<DisplayName>AzureAD User</DisplayName>
<Description>AzureAD Account</Description>
<Protocol Name="OAuth2" />
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/common/oauth2/v2.0/token</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
</OutputClaims>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
</TechnicalProfiles>