Azure B2C从预览到生产租户的迁移导致成功登录,而不会传回Iprincipal
伙计们,我不包括代码ATM,因为这似乎是一个Azure B2C设置问题,而不是一个编码问题。如果需要,我会上传它,但有问题的代码是相当多的阅读通过 问:是否有人成功地从Azure B2C“预览”租户迁移到“生产”租户 我们有一个功能正常的网站,使用B2C“预览”租户,微软通知我们,我们需要创建一个“生产”租户,因为它已经发布。我们删除了“预览”租户,并用相同的名称创建了“生产”租户,但当我们这样做时,我们失去了对工作“预览”租户的回退。新的“生产”租户未能使用我们在“预览”租户中拥有的b2c_extensions-app创建,我们认为这导致其无法正常运行。因此,我们用一个新名称创建了第二个“生产”租户,该租户使用b2c扩展应用程序创建,我们继续更改web应用程序设置以指向新名称。现在,当我们注册时,用户将在新的B2C广告中创建,但当Microsoft返回到我们的返回URL时,返回的IPrincipal没有声明,user.Identity.IsAuthenticated为false。如何在B2C中创建一个用户并返回一个user.Identity.IsAuthenticated=falseAzure B2C从预览到生产租户的迁移导致成功登录,而不会传回Iprincipal,azure,adal,azure-ad-b2c,Azure,Adal,Azure Ad B2c,伙计们,我不包括代码ATM,因为这似乎是一个Azure B2C设置问题,而不是一个编码问题。如果需要,我会上传它,但有问题的代码是相当多的阅读通过 问:是否有人成功地从Azure B2C“预览”租户迁移到“生产”租户 我们有一个功能正常的网站,使用B2C“预览”租户,微软通知我们,我们需要创建一个“生产”租户,因为它已经发布。我们删除了“预览”租户,并用相同的名称创建了“生产”租户,但当我们这样做时,我们失去了对工作“预览”租户的回退。新的“生产”租户未能使用我们在“预览”租户中拥有的b2c_e
其他信息:ID_令牌位于authresp上。看起来MVC并没有解密加密的令牌并创建Iprincipal用户。我们目前正在使用软件包System.IdentityModel.Tokens.Jwt版本4.0.2.206221351。是否B2C广告的新产品版本仅适用于System.IdentityModel.Tokens.Jwt 5.0.0版?微软花了一个月的时间才找到解决办法,并使我们的网站恢复正常运行。一句话:下面是这次经历的收获 1) 不要删除你的预览B2C,直到你确定你的生产是100%与你的网站工作 2) 创建产品B2C时,不要使用与预览B2C相同的名称。(这是微软已知的错误。事后知道很好,对吗?) 3) 请勿在登录、注册、密码重置或配置文件编辑策略中使用相同的名称。(这是至关重要的。)
<add key="ida:AadInstance" value="https://login.microsoftonline.com/{0}/v2.0/.well-known/openid-configuration?p={1}"/>
b) App_Start/Startup.Auth.cs中的修改代码
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using System.Threading.Tasks;
using Microsoft.Owin.Security.Notifications;
using Microsoft.IdentityModel.Protocols;
using System.Web.Mvc;
using System.Configuration;
using System.IdentityModel.Tokens;
using System.Threading;
using System.Globalization;
using Microsoft.Owin;
namespace WebSite
{
public partial class Startup
{
// The ACR claim is used to indicate which policy was executed
public const string AcrClaimType = "http://schemas.microsoft.com/claims/authnclassreference";
// App config settings
public static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
public static string aadInstance = ConfigurationManager.AppSettings["ida:AadInstance"];
public static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
public static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
// B2C policy identifiers
public static string SignUpPolicyId = ConfigurationManager.AppSettings["ida:SignUpPolicyId"];
public static string SignInPolicyId = ConfigurationManager.AppSettings["ida:SignInPolicyId"];
public static string ProfilePolicyId = ConfigurationManager.AppSettings["ida:UserProfilePolicyId"];
public static string ChangePasswordPolicyId = ConfigurationManager.AppSettings["ida:ChangePasswordPolicyId"];
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
// Configure OpenID Connect middleware for each policy
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignUpPolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignInPolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(ProfilePolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(ChangePasswordPolicyId));
}
// Used for avoiding yellow-screen-of-death
private Task AuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
notification.HandleResponse();
if (notification.Exception.Message == "access_denied")
{
notification.Response.Redirect("/");
}
else
{
notification.Response.Redirect("/Home/Error?message=" + notification.Exception.Message);
}
return Task.FromResult(0);
}
private OpenIdConnectAuthenticationOptions CreateOptionsFromPolicy(string policy)
{
return new OpenIdConnectAuthenticationOptions
{
MetadataAddress = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant, policy),
AuthenticationType = policy,
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed
},
Scope = "openid",
ResponseType = "id_token",
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
SaveSigninToken = true //important to save the token in boostrapcontext
},
ProtocolValidator = new OpenIdConnectProtocolValidator { RequireNonce = false }
};
}
}
}
使用系统;
使用System.Collections.Generic;
使用System.Linq;
使用System.Web;
使用Owin;
使用Microsoft.Owin.Security;
使用Microsoft.Owin.Security.Cookies;
使用Microsoft.Owin.Security.OpenIdConnect;
使用System.Threading.Tasks;
使用Microsoft.Owin.Security.Notifications;
使用Microsoft.IdentityModel.Protocols;
使用System.Web.Mvc;
使用系统配置;
使用System.IdentityModel.Tokens;
使用系统线程;
利用制度全球化;
使用Microsoft.Owin;
名称空间网站
{
公共部分类启动
{
//ACR声明用于指示执行了哪个策略
public const字符串AcrClaimType=”http://schemas.microsoft.com/claims/authnclassreference";
//应用程序配置设置
公共静态字符串clientId=ConfigurationManager.AppSettings[“ida:clientId”];
公共静态字符串aadInstance=ConfigurationManager.AppSettings[“ida:aadInstance”];
公共静态字符串tenant=ConfigurationManager.AppSettings[“ida:tenant”];
公共静态字符串redirectUri=ConfigurationManager.AppSettings[“ida:redirectUri”];
//B2C策略标识符
公共静态字符串SignUpPolicyId=ConfigurationManager.AppSettings[“ida:SignUpPolicyId”];
公共静态字符串SignInPolicyId=ConfigurationManager.AppSettings[“ida:SignInPolicyId”];
公共静态字符串ProfilePolicyId=ConfigurationManager.AppSettings[“ida:UserProfilePolicyId”];
公共静态字符串ChangePasswordPolicyId=ConfigurationManager.AppSettings[“ida:ChangePasswordPolicyId”];
public void ConfigureAuth(IAppBuilder应用程序)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(新的CookieAuthenticationOptions());
//为每个策略配置OpenID连接中间件
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignUpPolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignInPolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(ProfilePolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(ChangePasswordPolicyId));
}
//用于避免黄屏死亡
私有任务身份验证失败(身份验证失败通知)
{
notification.HandleResponse();
if(notification.Exception.Message==“访问被拒绝”)
{
通知.响应.重定向(“/”);
}
其他的
{
notification.Response.Redirect(“/Home/Error-message=“+notification.Exception.message”);
}
返回Task.FromResult(0);
}
私有OpenIdConnectAuthenticationOptions CreateOptionsFromPolicy(字符串策略)
{
返回新的OpenIdConnectAuthenticationOptions
{
MetadataAddress=String.Format(CultureInfo.InvariantCulture、aadInstance、租户、策略),
AuthenticationType=策略,
ClientId=ClientId,
RedirectUri=RedirectUri,
PostLogoutRedirectUri=redirectUri,
通知=新的OpenIdConnectAuthenticationNotifications
{
身份验证失败
using Microsoft.Owin.Security;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using Microsoft.Owin.Security.OpenIdConnect;
using Microsoft.Owin.Security.Cookies;
using System.Security.Claims;
using EMC_Portal_Web.Services.DataAccess;
using EMC_Portal_Web;
namespace WebSite.Controllers
{
public class AccountController : Controller
{
public void SignIn()
{
// To execute a policy, you simply need to trigger an OWIN challenge.
// You can indicate which policy to use by adding it to the AuthenticationProperties using the PolicyKey provided.
try
{
if (!Request.IsAuthenticated)
{
// To execute a policy, you simply need to trigger an OWIN challenge.
// You can indicate which policy to use by specifying the policy id as the AuthenticationType
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties() { RedirectUri = Startup.redirectUri }, Startup.SignInPolicyId);
}
}
catch (Exception ex)
{
Trace.TraceError("Error Message: " + ex.Message + " Stack: " + ex.StackTrace);
}
}
public void SignUp()
{
try
{
if (!Request.IsAuthenticated)
{
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties() { RedirectUri = Startup.redirectUri }, Startup.SignUpPolicyId);
}
}
catch (Exception ex)
{
Trace.TraceError("Error Message: " + ex.Message + " Stack: " + ex.StackTrace);
}
}
public new void Profile()
{
try
{
if (Request.IsAuthenticated)
{
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties() { RedirectUri = Startup.redirectUri }, Startup.ProfilePolicyId);
}
}
catch (Exception ex)
{
Trace.TraceError("Error Message: " + ex.Message + " Stack: " + ex.StackTrace);
}
}
public void ChangePassword()
{
try
{
if (Request.IsAuthenticated)
{
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties() { RedirectUri = Startup.redirectUri }, Startup.ChangePasswordPolicyId);
}
}
catch (Exception ex)
{
Trace.TraceError("Error Message: " + ex.Message + " Stack: " + ex.StackTrace);
}
}
public ActionResult SignOut()
{
try
{
if (Request.IsAuthenticated)
{
IEnumerable<AuthenticationDescription> authTypes = HttpContext.GetOwinContext().Authentication.GetAuthenticationTypes();
HttpContext.GetOwinContext().Authentication.SignOut(authTypes.Select(t => t.AuthenticationType).ToArray());
}
return Redirect(System.Web.HttpContext.Current.Application["Index"].ToString());
}
catch (Exception ex)
{
Trace.TraceError("Error Message: " + ex.Message + " Stack: " + ex.StackTrace);
return Redirect(System.Web.HttpContext.Current.Application["Home"].ToString());
}
}
}
}