azure - Azure AD B2C - 多应用服务的 CORS 策略问题
问题描述
我有 2 个项目:Project1是主应用程序 ( localhost:4016 ) Project2是子应用程序 ( localhost:4055 ) 并在 2 个项目之间共享授权令牌 cookie。
它在本地运行良好,但在 Azure 上托管时无法运行。收到以下错误:
在' https://devplatform.b2clogin.com/devplatform.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/authorize?client_id=XXXX&redirect_uri=https://myapps.example.com/home/index访问 XMLHttpRequest .. .'(重定向自' https://www.example.com/api/home/getlist ')来自原点' https://www.example.com '已被CORS策略阻止:否'Access-Control-Allow -Origin' 标头存在于请求的资源上。
我在多个项目中使用以下 OpenIdConnect 进行 Azure AD B2C 身份验证。
public void ConfigureAuth(IAppBuilder app) {
// Required for Azure webapps, as by default they force TLS 1.2 and this project attempts 1.0
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions() {
//locally it'll keep redirecting infinitely
CookieDomain = ".example.com" //only required when we host it to keep persist cookies
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions {
// Generate the metadata address using the tenant and policy information
MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.Tenant, Globals.DefaultPolicy),
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = Globals.ClientId,
RedirectUri = Globals.RedirectUri,
PostLogoutRedirectUri = Globals.RedirectUri,
// Specify the callbacks for each type of notifications
Notifications = new OpenIdConnectAuthenticationNotifications {
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
AuthenticationFailed = OnAuthenticationFailed,
},
// Specify the claim type that specifies the Name property.
TokenValidationParameters = new TokenValidationParameters {
NameClaimType = "name",
ValidateIssuer = false
},
// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
Scope = $"openid profile offline_access {Globals.ReadTasksScope} {Globals.WriteTasksScope}"
}
);
}
如果我对身份验证失败事件进行重定向,则会得到如下随机数错误:
IDX21323:RequireNonce 是 '[PII 默认隐藏。将 IdentityModelEventSource.cs 中的“ShowPII”标志设置为 true 以显示它。]'。OpenIdConnectProtocolValidationContext.Nonce 为空,OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce 不为空。无法验证随机数。如果您不需要检查 nonce,请将 OpenIdConnectProtocolValidator.RequireNonce 设置为“false”。请注意,如果找到“nonce”,它将被评估。
我可以通过以下语句禁用它:
ProtocolValidator = new OpenIdConnectProtocolValidator() { RequireNonce = false }
但它引入了以下错误:
IDX21329:RequireState 为“[PII 已隐藏]”,但 OpenIdConnectProtocolValidationContext.State 为空。无法验证状态。
我试图通过以下语句禁用它,但仍然是同样的问题。
ProtocolValidator = new OpenIdConnectProtocolValidator() { RequireNonce = false, RequireState = false }