时间戳

首页 > 解决方案 > Azure AD B2C - 多应用服务的 CORS 策略问题

azure - Azure AD B2C - 多应用服务的 CORS 策略问题

问题描述

我有 2 个项目:Project1是主应用程序 ( localhost:4016 ) Project2是子应用程序 ( localhost:4055 ) 并在 2 个项目之间共享授权令牌 cookie。

它在本地运行良好,但在 Azure 上托管时无法运行。收到以下错误:

在' https://devplatform.b2clogin.com/devplatform.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/authorize?client_id=XXXX&redirect_uri=https://myapps.example.com/home/index访问 XMLHttpRequest .. .'(重定向自' https://www.example.com/api/home/getlist ')来自原点' https://www.example.com '已被CORS策略阻止:否'Access-Control-Allow -Origin' 标头存在于请求的资源上。

我在多个项目中使用以下 OpenIdConnect 进行 Azure AD B2C 身份验证。

public void ConfigureAuth(IAppBuilder app) {
    // Required for Azure webapps, as by default they force TLS 1.2 and this project attempts 1.0
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    app.UseCookieAuthentication(new CookieAuthenticationOptions() {
        //locally it'll keep redirecting infinitely
        CookieDomain = ".example.com" //only required when we host it to keep persist cookies
    });

    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions {
        // Generate the metadata address using the tenant and policy information
        MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.Tenant, Globals.DefaultPolicy),

        // These are standard OpenID Connect parameters, with values pulled from web.config
        ClientId = Globals.ClientId,
        RedirectUri = Globals.RedirectUri,
        PostLogoutRedirectUri = Globals.RedirectUri,

        // Specify the callbacks for each type of notifications
        Notifications = new OpenIdConnectAuthenticationNotifications {
            RedirectToIdentityProvider = OnRedirectToIdentityProvider,
            AuthorizationCodeReceived = OnAuthorizationCodeReceived,
            AuthenticationFailed = OnAuthenticationFailed,
        },

        // Specify the claim type that specifies the Name property.
        TokenValidationParameters = new TokenValidationParameters {
            NameClaimType = "name",
            ValidateIssuer = false
        },

        // Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
        Scope = $"openid profile offline_access {Globals.ReadTasksScope} {Globals.WriteTasksScope}"
        }
    );
}

如果我对身份验证失败事件进行重定向,则会得到如下随机数错误:

IDX21323:RequireNonce 是 '[PII 默认隐藏。将 IdentityModelEventSource.cs 中的“ShowPII”标志设置为 true 以显示它。]'。OpenIdConnectProtocolValidationContext.Nonce 为空,OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce 不为空。无法验证随机数。如果您不需要检查 nonce,请将 OpenIdConnectProtocolValidator.RequireNonce 设置为“false”。请注意,如果找到“nonce”,它将被评估。

我可以通过以下语句禁用它:

ProtocolValidator = new OpenIdConnectProtocolValidator() { RequireNonce = false }

但它引入了以下错误:

IDX21329:RequireState 为“[PII 已隐藏]”,但 OpenIdConnectProtocolValidationContext.State 为空。无法验证状态。

我试图通过以下语句禁用它,但仍然是同样的问题。

ProtocolValidator = new OpenIdConnectProtocolValidator() { RequireNonce = false, RequireState = false }

标签: azurecorsazure-active-directoryopenid-connectazure-ad-b2c

解决方案

推荐阅读