Azure AD B2C iOS (Swift 4)中的ROPC流错误-资源所有者流只能由通过B2C管理门户创建的应用程序使用
我正在尝试将Azure AD B2C ROPC流实现到iOS Swift 4应用程序中。我已经遵循了文档和示例中的说明。我已经替换了以下请求参数:
kIssuer: "https://login.microsoftonline.com/tfp/{Tenant Name}.onmicrosoft.com/{Signin Policy Name}/v2.0"
kIssuerROPC: "https://login.microsoftonline.com/tfp/{tenantName}.onmicrosoft.com/{Resource Owner Policy Name}/v2.0"
kClientId: "{Application ID}"
kRedirectUri: "https://login.microsoftonline.com/tfp/oauth2/nativeclient"我的additionalParameters如下:
"[
username": "{test email account}",
"password": "{test password}",
"scope": "openid {kClientId} offline_access",
"response_type": "token id_token
]"我将以这样的方式执行方法OIDTokenRequest:
OIDTokenRequest(
configuration: configuration!,
grantType: OIDGrantTypePassword,
authorizationCode: nil,
redirectURL: redirectURI!,
clientID: self.kClientID,
clientSecret: nil,
scope: additionalParameters["scope"],
refreshToken: nil,
codeVerifier: nil,
additionalParameters: additionalParameters
)我打印出以下信息:
"Performing ROPC with request [%@] <OIDTokenRequest: 0x6000002a17a0, request: <URL:https://login.microsoftonline.com/te/{tenant}.onmicrosoft.com/b2c_1_ropc_auth/oauth2/token, HTTPBody: password=TESTPW&response_type=token%20id_token&scope=openid%KCLIENTID%20offline_access&scope=openid%20KCLIENTID%20offline_access&refresh_token=offline_access&grant_type=password&username=TESTEMAIL&redirect_uri=https://login.microsoftonline.com/tfp/oauth2/nativeclient&client_id=KCLIENTID>>其中我已经编码出TESTEMAIL,TESTPW和KCLIENTID,正如我在前两组参数中提到的。
我得到了这个错误
Token request error: "unauthorized_client: AADB2C90248: Resource owner flow can only be used by applications created through the B2C admin portal.
我使用我在Azure B2C注册的应用程序的kClientId,它在请求URL中显示了3次不同的时间。我尝试过各种参数组合,但这是我所能得到的最大限度。
我可能想到的唯一可能是不能正常工作的部分是,示例中的kRedirectUri是msalb35a3d9b://oauth/redirect,而这个文档中的第4步明确表示要将info.plist值更改为msalb35a3d9b。
在我的AADB2C注册申请中,我有两个RedirectURIS:
urn:ietf:wg:oauth:2.0:oob https://login.microsoftonline.com/tfp/oauth2/nativeclient
我已经将urn:ietf:wg添加到info.plist中了,但是没有什么工作。我还是会犯同样的错误。
有人能帮我绕开这个努力吗?
回答 2
Stack Overflow用户
发布于 2018-07-24 22:00:19
这是对我有用的配置。
let clientId = "{Application ID}"
let authorizationEndpoint = URL(string: "https://login.microsoftonline.com/{TenantName}.onmicrosoft.com/oauth2/v2.0/authorize?p={ROPC Policy Name}")
let tokenEndpoint = URL(string: "https://login.microsoftonline.com/{TenantName}.onmicrosoft.com/oauth2/v2.0/token?p={ROPC Policy Name}")
let redirectUri = URL(string: "urn:ietf:wg:oauth:2.0:oob")
let configuration = OIDServiceConfiguration(authorizationEndpoint: authorizationEndpoint!, tokenEndpoint: tokenEndpoint!)
let additionalParameters = [
"username": "{Username}",
"password": "{Password}",
"scope": "openid {Application ID} offline_access",
"response_type": "token id_token"
]
let tokenExchangeRequest = OIDTokenRequest(configuration: configuration, grantType: OIDGrantTypePassword, authorizationCode: nil, redirectURL: self.redirectUri!, clientID: self.clientId, clientSecret: nil, scope: nil, refreshToken: nil, codeVerifier: nil, additionalParameters: additionalParameters)然后执行对令牌的请求。
OIDAuthorizationService.perform(tokenExchangeRequest, callback: { tokenResponse, error in
if tokenResponse == nil {
print("Token request error: %@", error?.localizedDescription as Any)
} else {
print("Received token response with accessToken: %@", tokenResponse?.accessToken as Any)
}
})Stack Overflow用户
发布于 2018-07-23 22:41:33
您需要确保您到达了V2端点,否则您将得到您正在看到的错误。
尝试:
https://login.microsoftonline.com/te/{tenant}.onmicrosoft.com/b2c_1_ropc_auth/oauth2/V2.0/token
https://stackoverflow.com/questions/51487951
复制相似问题
腾讯云开发者
