MVC4 AAD登录 报 IDX21323, 求解
MVC4使用AAD登录后报错 :
IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.
因为我是本地调试, 所有回调域名为host
startup.cs如下
{
// The Client ID is used by the application to uniquely identify itself to Microsoft identity platform.
string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];
// RedirectUri is the URL where the user will be redirected to after they sign in.
string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];
// Tenant is the tenant ID (e.g. contoso.onmicrosoft.com, or 'common' for multi-tenant)
static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
// Authority is the URL for authority, composed of the Microsoft identity platform and the tenant name (e.g. https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0)
string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant);
/// <summary>
/// Configure OWIN to use OpenIdConnect
/// summary>
/// name="app">
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Sets the ClientId, authority, RedirectUri as obtained from web.config
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
// PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
PostLogoutRedirectUri = redirectUri,
Scope = OpenIdConnectScope.OpenIdProfile,
// ResponseType is set to request the code id_token - which contains basic information about the signed-in user
ResponseType = OpenIdConnectResponseType.CodeIdToken,
// ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
// To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name
// To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false // This is a simplification
},
// OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed
}
}
);
}
/// <summary>
/// Handle failed authentication requests by redirecting the user to the home page with an error in the query string
/// summary>
/// name="context">
/// <returns>returns>
private Task OnAuthenticationFailed(AuthenticationFailedNotification context)
{
context.HandleResponse();
context.Response.Redirect("/register/login/?errormessage=" + context.Exception.Message);
return Task.FromResult(0);
}
}
求解
这个错误是由于Azure AD要求给的Nonce无法被验证导致的,
可以尝试把OpenIdConnectProtocolValidator.RequireNonce的值设置为false来禁用Nonce的验证,
或者确保你传入的Nonce和Azure AD返回的Nonce是一致的。
该回答引用于chat gpt IDX21323 错误代码表示 Azure Active Directory 身份验证错误。 这是因为身份验证请求无效。
如果您正在使用 ASP.NET MVC4 和 Azure Active Directory(AAD)进行登录,请检查以下内容:
检查您的应用程序注册: 确保您在 Azure 租户中已注册了正确的应用程序,并已启用了身份验证/授权。
检查客户端 ID: 确保您的代码中的客户端 ID 正确,与注册的应用程序的客户端 ID 匹配。
检查重定向 URI: 确保您的代码中的重定向 URI 正确,与注册的应用程序的重定向 URI 匹配。
检查域: 确保您正在使用正确的 Azure Active Directory 租户,并且已在代码中正确设置了域。
如果仍然出现错误,请考虑从 Azure 门户或其他管理工具中检查应用程序的设置,并确保所有设置都正确。