Asp.net core OpenIdConnectProtocolException:消息包含错误:';无效的_请求';,错误描述:';AADB2C90079:
我正在我的ASP.NET核心web应用程序中使用Azure AD B2C身份验证。我还希望在成功验证用户后获得通知,以便添加自定义角色,并尝试注册AuthorizationCodeReceived回调。但一旦我这么做了,我就会得到以下异常 OpenIdConnectProtocolException:消息包含错误:“无效请求”,错误描述:“AADB2C90079:在兑换机密授权时,客户端必须发送客户端密钥。” Setup.cs中有效的原始代码是Asp.net core OpenIdConnectProtocolException:消息包含错误:';无效的_请求';,错误描述:';AADB2C90079:,asp.net-core,azure-ad-b2c,Asp.net Core,Azure Ad B2c,我正在我的ASP.NET核心web应用程序中使用Azure AD B2C身份验证。我还希望在成功验证用户后获得通知,以便添加自定义角色,并尝试注册AuthorizationCodeReceived回调。但一旦我这么做了,我就会得到以下异常 OpenIdConnectProtocolException:消息包含错误:“无效请求”,错误描述:“AADB2C90079:在兑换机密授权时,客户端必须发送客户端密钥。” Setup.cs中有效的原始代码是 public void Configure
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));
services.AddControllersWithViews();
services.AddRazorPages();
}
但当我在ConfigureServices()函数中添加以下代码时
services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
{
options.ResponseType = OpenIdConnectResponseType.Code;
options.Events = new OpenIdConnectEvents
{
OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
};
});
public async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
}
services.Configure(AzureADB2CDefaults.OpenIdScheme,选项=>
{
options.ResponseType=OpenIdConnectResponseType.Code;
options.Events=新的OpenIdConnectEvents
{
OnAuthorizationCodeReceived=OnAuthorizationCodeReceived,
};
});
AuthorizationCodeReceived上的公共异步任务(AuthorizationCodeReceivedContext上下文)
{
}
当我单击Signin按钮时,它开始生成上述异常。看起来我能够进行身份验证,并且我还收到了OnAuthorizationCodeReceived回调。但一旦控件从OnAuthorizationCodeReceived返回,以下堆栈将发生异常
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ReceiveAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandlerEmoteAuthenticationAsync()
请告诉我这里出了什么问题?您正在使用OAuth 2.0授权代码流,因为您正在OIDC配置中将
code
设置为ResponseType
:
options.ResponseType = OpenIdConnectResponseType.Code;
如果您的应用程序是web应用程序或web API,请检查,当请求ancess令牌时,代码流需要客户端\u机密
如果您想在登录后添加自定义角色,OnTokenValidated
事件为您提供了修改从传入令牌获得的ClaimsEntity的机会,下面的代码供您参考:
options.Events = new OpenIdConnectEvents
{
OnTokenValidated = ctx =>
{
//query the database to get the role
// add claims
var claims = new List<Claim>
{
new Claim(ClaimTypes.Role, "Admin")
};
var appIdentity = new ClaimsIdentity(claims);
ctx.Principal.AddIdentity(appIdentity);
return Task.CompletedTask;
},
};
options.Events=新建OpenIdConnectEvents
{
OnTokenValidated=ctx=>
{
//查询数据库以获取角色
//添加索赔
var索赔=新列表
{
新索赔(ClaimTypes.Role,“Admin”)
};
var appIdentity=新的索赔实体(索赔);
ctx.委托人.额外性(appIdentity);
返回Task.CompletedTask;
},
};
但如果您想查询Microsoft Graph,请使用OnAuthorizationCodeReceived事件并使用MSAL获取Microsoft Graph的访问令牌。感谢Nan Yu的回复 最后,我可以通过使用以下代码来解决这个问题
services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
{
options.Events = new OpenIdConnectEvents
{
OnTokenValidated = OnTokenValidated
};
});
services.Configure(AzureADB2CDefaults.OpenIdScheme,选项=>
{
options.Events=新的OpenIdConnectEvents
{
OnTokenValidated=OnTokenValidated
};
});
所以初始化options.ResponseType真的没有必要,而且对我来说很有效