Azure B2C Apimanagement多租户jwt验证

编程问答 2022-08-14

问题描述

在天蓝色的B2C中是否有一个/ common端点可以用来验证由多个Azure B2C租户发出的令牌,就像在正常的天蓝色的AD中一样:(https://login.microsoftonline.com/common/.well-known/openid-configuration)?

正常azure AD的jwt令牌验证示例:

<validate-jwt header-name="authorization" failed-validation-httpcode="401" failed-validation-error-message="GWT FAIL" output-token-variable-name="jwt">
            <openid-config url="https://login.microsoftonline.com/common/.well-known/openid-configuration" />
        </validate-jwt>

致谢

解决方法

不,没有。每个租户都是他们自己的身份提供者,没有常规AAD中的“多路复用器”。

,

在B2C中,如果您配置技术资料以从天蓝色广告中返回access_token,则可以使用iss中存在的颁发者声明access_token来查找颁发者并将其用于jwt验证。 sample展示了如何返回访问令牌。

例如,下面的技术资料会返回一个access_token <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />,其声明iss的值为"https://sts.windows.net/12340-123120-112112323/" ,可用于验证令牌。

<TechnicalProfiles>
        <TechnicalProfile Id="AzureADProfile_issueAADtoken">
          <DisplayName>AzureAD User</DisplayName>
          <Description>AzureAD Account</Description>
          <Protocol Name="OAuth2" />
          <OutputTokenFormat>JWT</OutputTokenFormat>
          <Metadata>
            <Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/common/oauth2/v2.0/token</Item>
            <Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
            <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
          
            <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
            <Item Key="HttpBinding">POST</Item>
            <Item Key="response_types">code</Item>
            <Item Key="scope">openid</Item>
            <Item Key="UsePolicyInRedirectUri">false</Item>
            <Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>

          </Metadata>
          <CryptographicKeys>

            <Key Id="client_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
          </CryptographicKeys>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
            <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName" />
            
            <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
            <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
            <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
            <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="userPrincipalName" />
            <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
            <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
          </OutputClaims>

            <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
          </OutputClaimsTransformations>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>
      </TechnicalProfiles>
azure-ad-b2cazure-api-management

相关问答

matplotlib报错:AttributeError: module 'backend_interagg' has no attribute 'FigureCanvas'. Did you mean: 'FigureCanvasAgg'?
使用本地python环境可以成功执行 import pandas as pd impor...
gitlab登录失败,报错:This challenge page was accidentally cached by an intermediary and is no longer available.
设置时间 控制面板
后端开发常见错误
错误1:Request method ‘DELETE‘ not supported 错误还原:...
docker常见错误
错误1:启动docker镜像时报错:Error response from daemon:...
idea常见错误
错误1:private field ‘xxx‘ is never assigned 按Alt...
pip安装依赖失败
报错如下,通过源不能下载,最后警告pip需升级版本 Requirem...