iOS中的Azure AD B2C ROPC流错误(Swift 4) - 资源所有者流只能由通过B2C管理门户创建的应用程序使用

问题描述 投票:2回答:2

我正在尝试将Azure AD B2C ROPC Flow实现到iOS Swift 4应用程序中。我已经按照documentationsample中的说明进行操作了。我已经替换了以下请求参数:

kIssuer: "https://login.microsoftonline.com/tfp/{Tenant Name}.onmicrosoft.com/{Signin Policy Name}/v2.0"
kIssuerROPC: "https://login.microsoftonline.com/tfp/{tenantName}.onmicrosoft.com/{Resource Owner Policy Name}/v2.0"
kClientId: "{Application ID}"
kRedirectUri: "https://login.microsoftonline.com/tfp/oauth2/nativeclient"

我的additionalParameters如下:

"[
    username": "{test email account}",
    "password": "{test password}",
    "scope": "openid {kClientId} offline_access",
    "response_type": "token id_token
]"

我将执行OIDTokenRequest方法:

OIDTokenRequest(
    configuration: configuration!, 
    grantType: OIDGrantTypePassword, 
    authorizationCode: nil, 
    redirectURL: redirectURI!, 
    clientID: self.kClientID, 
    clientSecret: nil, 
    scope: additionalParameters["scope"], 
    refreshToken: nil, 
    codeVerifier: nil, 
    additionalParameters: additionalParameters
)

我打印出以下消息:

"Performing ROPC with request [%@] <OIDTokenRequest: 0x6000002a17a0, request: <URL:https://login.microsoftonline.com/te/{tenant}.onmicrosoft.com/b2c_1_ropc_auth/oauth2/token, HTTPBody: password=TESTPW&response_type=token%20id_token&scope=openid%KCLIENTID%20offline_access&scope=openid%20KCLIENTID%20offline_access&refresh_token=offline_access&grant_type=password&username=TESTEMAIL&redirect_uri=https://login.microsoftonline.com/tfp/oauth2/nativeclient&client_id=KCLIENTID>>

我编写了TESTEMAIL,TESTPW和KCLIENTID,我在前两组参数中提到过。

我收到这个错误:

Token request error: "unauthorized_client: AADB2C90248: Resource owner flow can only be used by applications created through the B2C admin portal.

我正在使用我在Azure AD B2C中注册的应用程序的kClientId,它在请求URL中显示了3次不同的时间。我尝试了各种参数组合,但这是我能得到的最远的。

我可以想到的唯一不能正常工作的部分是示例中的kRedirectUrimsalb35a3d9b://oauth/redirect,而这个documentation中的第4步具体说要将info.plist值更改为msalb35a3d9b

在我的AADB2C注册的应用程序中,我有2个RedirectURIS

urn:ietf:wg:oauth:2.0:oob https://login.microsoftonline.com/tfp/oauth2/nativeclient

我已经将urn:ietf:wg添加到info.plist,但没有任何效果。我仍然得到同样的错误。

有人可以帮我解决这个问题吗?

ios swift azure azure-ad-b2c
2个回答
2
投票

这是适合我的配置。

let clientId = "{Application ID}"
let authorizationEndpoint = URL(string: "https://login.microsoftonline.com/{TenantName}.onmicrosoft.com/oauth2/v2.0/authorize?p={ROPC Policy Name}")
let tokenEndpoint = URL(string: "https://login.microsoftonline.com/{TenantName}.onmicrosoft.com/oauth2/v2.0/token?p={ROPC Policy Name}")
let redirectUri = URL(string: "urn:ietf:wg:oauth:2.0:oob")

let configuration = OIDServiceConfiguration(authorizationEndpoint: authorizationEndpoint!, tokenEndpoint: tokenEndpoint!)

let additionalParameters = [
        "username": "{Username}",
        "password": "{Password}",
        "scope": "openid {Application ID} offline_access",
        "response_type": "token id_token"
    ]

let tokenExchangeRequest = OIDTokenRequest(configuration: configuration, grantType: OIDGrantTypePassword, authorizationCode: nil, redirectURL: self.redirectUri!, clientID: self.clientId, clientSecret: nil, scope: nil, refreshToken: nil, codeVerifier: nil, additionalParameters: additionalParameters)

然后执行令牌请求。

OIDAuthorizationService.perform(tokenExchangeRequest, callback: { tokenResponse, error in
        if tokenResponse == nil {
            print("Token request error: %@", error?.localizedDescription as Any)
        } else {
            print("Received token response with accessToken: %@", tokenResponse?.accessToken as Any)
        }
    })
0
投票

你需要确保你的命中V2端点,否则你会得到你看到的错误。

尝试:

https://login.microsoftonline.com/te/ {租户} .onmicrosoft.com / b2c_1_ropc_auth /的oauth2 / V2.0 /令牌

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.