回复地址与请求授权时提供的回复地址不匹配

编程问答 2022-11-13

问题描述

我对正在使用的.netcore3.1应用程序上发生的错误感到沮丧。 这是我的设置:

在Startup.cs 

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftWebApp(options =>
    {
        Configuration.Bind("AzureAd",options);
        options.Events ??= new OpenIdConnectEvents();
        options.Events.OnRedirectToIdentityProvider = async ctx =>
        {
            ctx.ProtocolMessage.RedirectUri = Configuration["AzureAd:RedirectUri"];
            await Task.CompletedTask;
        };
    })
    .AddMicrosoftWebAppCallsWebApi(Configuration,new[] { "user.read" })
    .AdddistributedTokenCaches();

在我的应用程序设置中

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/","ClientId": "ClientId","TenantId": "TenantId","RedirectUri": "https://mywebsite.com/signin-oidc","ClientSecret": "ClientSecret"
  },

使用https://mywebsite.com/signin-oidc作为重定向URL正确配置了Azure应用注册。 我还添加了以下内容,以允许从代理转发标头:

services.Configure<ForwardedHeadersOptions>(options =>
{
    options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
    options.KNownNetworks.Clear();
    options.KNownProxies.Clear();
});

// then in the Configure method

app.UseForwardedHeaders();

但是我仍然遇到这个错误,这让我感到困惑。我想通过添加

ctx.ProtocolMessage.RedirectUri = Configuration["AzureAd:RedirectUri"];

我会克服这个问题,但似乎对这个错误没有影响。

An unhandled exception occurred","Properties":{"CorrelationId":"c3393560-6ebe-41ce-99fc-693c1a387474","Path":"/signin-oidc","Method":"POST","exceptionMessage":"An error was encountered while handling the remote login.","exception":"System.Exception: An error was encountered while handling the remote login.\n ---> MSAL.NetCore.4.16.1.0.MsalServiceException: \n\tErrorCode: invalid_client\nMicrosoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details.You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS500112: The reply address 'http://mywebsite.com/signin-oidc' does not match the reply address 'https://mywebsite.com/signin-oidc' provided when requesting Authorization

解决方法

可能是您的代理也正在终止HTTPS,所以您的应用程序获得的流量是HTTP?

,

根据您的错误消息:答复地址与请求授权时提供的答复地址不符。您必须确保在Azure门户中配置的redirect_uri与代码中配置的redirect_uri完全相同。

当您访问应用程序url时,您将被重定向到登录页面。解码授权请求URL,您将找到redirect_uri,复制redirect_uri的值并将其粘贴到Azure门户中,然后重试。

enter image description here

对于重定向URL,它应该以{{1​​}}开头,如果需要以http开头,则必须将其配置为https

.net-coreazure-active-directoryc#c#identityidentityopenid-connect