问题
I have followed the Getting Started workflow here: https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-get-started-custom
I followed it from scratch, twice, and have both times when trying to sign in with the sign-in & sign-up custom policy I am prompted with 'Your password is incorrect'. How can I properly authenticate?
Things that are working:
- When I do signup the user journey completes, and the user is added to the directory
- Using built in policies I can sign in and sign up
- Using built in policies I can sign in with a user who I used the custom policy to sign up for
Using Application Insights I can see the following errors. (some sanitation applied)
"ValidationRequest":{
"ContentType":"Unspecified",
"Created":"2017-10-06T17:19:34.3995426Z",
"Key":"ValidationRequest",
"Persistent":true,
"Value":"client_id=55555555-5555-5555-5555-555555555555&resource=cccccccc-cccc-cccc-cccc-cccccccccccc&username=MYUSERNAME&password=PASSWORDIENTEREDONSCREEN&grant_type=password&scope=openid&nca=1;1;login-NonInteractive;False"
},
"ValidationResponse":{
"ContentType":"Json",
"Created":"2017-10-06T17:19:34.3995426Z",
"Key":"ValidationResponse",
"Persistent":true,
"Value":"{\"error\":\"invalid_client\",\"error_description\":\"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.\\r\\nTrace ID: 55555555-cccc-cccc-cccc-555555555555\\r\\nCorrelation ID: 77777777-7777-7777-7777-777777777777\\r\\nTimestamp: 2017-10-06 17:19:33Z\",\"error_codes\":[70002],\"timestamp\":\"2017-10-06 17:19:33Z\",\"trace_id\":\"55555555-cccc-cccc-cccc-555555555555\",\"correlation_id\":\"77777777-7777-7777-7777-777777777777\"};1;login-NonInteractive;False"
},
The important bit seems to be:
"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion"
Also later it says:
"Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown."
Some things I've double checked:
- In my Identity Experience Framework > Policy Keys, I have the following 4 keys after following the steps in the guide:
- B2C_1A_AdminClientEncryptionKeyContainer
- B2C_1A_FacebookSecret
- B2C_1A_TokenEncryptionKeyContainer
- B2C_1A_TokenSigningKeyContainer
- In the regular AAD > App registrations, I have the applications:
- IdentityExperienceFramework
- ProxyIdentityExperienceFramework
- And ProxyIdentityExperienceFramework has delegated Access IdentityExperienceFramework permissions from IdentityExperienceFramework.
- And I've hit Grant permissions for both apps.
- Both application Ids were properly substituted in the TrustFrameworkExtensions.xml, two places each
Any help is much appreciated. Thank you.
回答1:
Your ProxyIdentityExperienceFramework app was incorrectly created as a Web App/API. You need to recreate it as a Native app. Make sure you don't forget to update the client_ids in your base policy to the new ProxyIdentityExperienceFramework accordingly.
The error AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion occurs when you try to obtain a token using a client_id for an application that was registered as a Web App/API but are not providing the required client_secret. In the case of Native app, there is no client_secret required.
When sign in, Azure AD B2C's trust framework (the thing that executes custom policies) internally attempts to obtain a token for the IdentityExperienceFramework app (Web API) using the ProxyIdentityExperienceFramework app (Native app). If you incorrectly create the latter as a Web App/API, B2C's policy engine will fail to obtain the token which manifests itself as a Your password is incorrect error message to the user.
来源:https://stackoverflow.com/questions/46611968/azure-b2c-sample-custom-policy-when-signing-in-shows-your-password-is-incorrec