MSAL/B2C error: 'Secure Connection Failed' AFTER getting valid ID token
MSAL/B2C error: 'Secure Connection Failed' AFTER getting valid ID token
简短摘要:
我有一个 Angular 7.0 前端客户端,使用 MSAL-angular.js 库对 .NET CORE API 应用程序进行身份验证。两者都使用 B2C 托管在 Azure 上。
下面的调用 returns 一个有效的 ID token 在 URL 中,但随后出现以下错误(每个浏览器略有不同):
一个。 Chrome:
This site can’t provide a secure connection localhost sent an invalid
response. ERR_SSL_PROTOCOL_ERROR
乙。火狐
Secure Connection Failed
An error occurred during a connection to localhost:4200. SSL received
a record that exceeded the maximum permissible length. Error code:
SSL_ERROR_RX_RECORD_TOO_LONG
摄氏度。 IE
Can’t connect securely to this page This might be because the site
uses outdated or unsafe TLS security settings.
详细步骤:
- 客户端在 MyAuth.service.ts
中进行身份验证
import { MsalService, BroadcastService } from '@azure/msal-angular';
// unrelated code...
export class MyAuthService{
constructor(private http: HttpClient,
private authService : MsalService,
private broadcastService: BroadcastService,
private httpService: HttpServiceHelper) { }
public loginMSAL() {
this.authService.loginPopup(["openid", "offline_access",
"https://myBusinessName.onmicrosoft.com/api-dev/user_impersonation"]).
then(function (idToken: any) {
console.log("token: "+idToken); //This never gets hit.
});
console.log("...exit loginMSAL()..."); //
}
- 弹出窗口登录用户,使用此 URL(“04d8c97b”ID 是我的 Azure B2C 租户 ID,mybusinessname.onmicrosoft.com) :
https://login.microsoftonline.com/04d8c97b-23df-4533-b5fe-197f0117556c/oauth2/v2.0/authorize
?response_type=id_token
&scope=offline_access
%20https%3A%2F%2Fmybusinessname.onmicrosoft.com
%2Fapi-dev
%2Fuser_impersonation
%20openid
%20profile
&client_id=0af5e22c-1233-470f-b2a8-e47038c69524 //This is my angular web client's ID on Azure.
&redirect_uri=https%3A%2F%2Flocalhost%3A4200%2F
&state=c5a0006a-80f0-4d25-9eeb-49ddd0bc292b
&nonce=2699ca31-52f3-455b-9906-137772f2f0a8
&client_info=1&x-client-SKU=MSAL.JS
&x-client-Ver=0.2.1
&client-request-id=d9eed293-c1bd-4f75-a824-dc0bfe956c17
&prompt=select_account
&response_mode=fragment
&sso_reload=true
2.a) 登录弹出窗口似乎工作正常。
它显示了我之前登录的帐户名,testUser1@mybusinessname.onmicrosoft.com.
2.b) 输入密码正常,然后痛苦开始。
- 弹窗window给出了上面的错误,但是URL变成了下面的,显示已经获得了一个有效的ID token。 URL 是:
https://localhost:4200/#id_token=eyJ0e ...long token here...
&state=26deef89-94db-49ec-94a6-fbb6e7f93f13
&session_state=ca5489a4-842a-48f2-9fa5-7b85a1582d55
- 将令牌放入jwt.ms,它看起来有效:
{
"typ": "JWT",
"alg": "RS256",
"kid": "nbCwW11w3XkB-xUaXwKRjLjMHGQ"
}.{
"aud": "0af5e22c-1233-470f-b2a8-e47038c69524",
"iss": "https://login.microsoftonline.com/04d8c97b-25df-4533-b5fe-197f0117556c/v2.0", *//This is the ID for my Azure B2C Tenant, 'mybusinessname.onmicrosoft.com'*
"iat": 1545600536,
"nbf": 1545600536,
"exp": 1545604436,
"aio": "ATQAy/8JAAAARe1ST0VN1rzLio14LI4Y6B6VcY1nPurvB2G+FOWLjs/3QtkQdiHfRVnpgw6Ohm/2",
"name": "TestUser1",
"nonce": "ee43f038-bb35-438f-a9ca-2ca8b649dea4",
"oid": "2755d0c4-19ab-495e-9441-4ae6fe87e17a",
"preferred_username": "testUser1@mybusinessname.onmicrosoft.com",
"sub": "WcB02vJDa7vzfgWbJTY8m604eYhGosphCmr569Wc7Yc",
"tid": "04d8c97b-25df-4533-b5fe-197f0117556c",
"uti": "mC5BVa6fukuEXIVB5jJYAA",
"ver": "2.0"
}.[Signature]
- 不确定是否相关,但这是我的 MSAL 配置:
@NgModule({
imports: [
CommonModule,
MsalModule.forRoot({
clientID: '0af5e22c-1233-470f-b2a8-e47038c69524', // Azure B2C ID for my angular web client, 'mybusinessname-web-dev'.
authority: "https://login.microsoftonline.com/mybusinessname.onmicrosoft.com",
redirectUri: "https://localhost:4200/",
cacheLocation : "sessionStorage",
postLogoutRedirectUri: "https://localhost:4200/",
navigateToLoginRequestUrl: false,
unprotectedResources: ["https://localhost:4200/"],
popUp: true,
validateAuthority: false
})
感谢任何可能的帮助!
令牌与此错误无关。
问题可能出在托管服务的证书上。使用网络 tools/fiddler 将有助于了解哪个 extact call returns TLS 错误。如果获取令牌的调用正在返回它,那将是一个 B2C 问题,否则它将是托管服务的端点的问题。
你也可以关注这个TLS issues on Chrome
简短摘要:
我有一个 Angular 7.0 前端客户端,使用 MSAL-angular.js 库对 .NET CORE API 应用程序进行身份验证。两者都使用 B2C 托管在 Azure 上。
下面的调用 returns 一个有效的 ID token 在 URL 中,但随后出现以下错误(每个浏览器略有不同):
一个。 Chrome:
This site can’t provide a secure connection localhost sent an invalid response. ERR_SSL_PROTOCOL_ERROR
乙。火狐
Secure Connection Failed
An error occurred during a connection to localhost:4200. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
摄氏度。 IE
Can’t connect securely to this page This might be because the site uses outdated or unsafe TLS security settings.
详细步骤:
- 客户端在 MyAuth.service.ts 中进行身份验证
import { MsalService, BroadcastService } from '@azure/msal-angular';
// unrelated code...
export class MyAuthService{
constructor(private http: HttpClient,
private authService : MsalService,
private broadcastService: BroadcastService,
private httpService: HttpServiceHelper) { }
public loginMSAL() {
this.authService.loginPopup(["openid", "offline_access",
"https://myBusinessName.onmicrosoft.com/api-dev/user_impersonation"]).
then(function (idToken: any) {
console.log("token: "+idToken); //This never gets hit.
});
console.log("...exit loginMSAL()..."); //
}
- 弹出窗口登录用户,使用此 URL(“04d8c97b”ID 是我的 Azure B2C 租户 ID,mybusinessname.onmicrosoft.com) :
https://login.microsoftonline.com/04d8c97b-23df-4533-b5fe-197f0117556c/oauth2/v2.0/authorize
?response_type=id_token
&scope=offline_access
%20https%3A%2F%2Fmybusinessname.onmicrosoft.com
%2Fapi-dev
%2Fuser_impersonation
%20openid
%20profile
&client_id=0af5e22c-1233-470f-b2a8-e47038c69524 //This is my angular web client's ID on Azure.
&redirect_uri=https%3A%2F%2Flocalhost%3A4200%2F
&state=c5a0006a-80f0-4d25-9eeb-49ddd0bc292b
&nonce=2699ca31-52f3-455b-9906-137772f2f0a8
&client_info=1&x-client-SKU=MSAL.JS
&x-client-Ver=0.2.1
&client-request-id=d9eed293-c1bd-4f75-a824-dc0bfe956c17
&prompt=select_account
&response_mode=fragment
&sso_reload=true
2.a) 登录弹出窗口似乎工作正常。 它显示了我之前登录的帐户名,testUser1@mybusinessname.onmicrosoft.com.
2.b) 输入密码正常,然后痛苦开始。
- 弹窗window给出了上面的错误,但是URL变成了下面的,显示已经获得了一个有效的ID token。 URL 是:
https://localhost:4200/#id_token=eyJ0e ...long token here...
&state=26deef89-94db-49ec-94a6-fbb6e7f93f13
&session_state=ca5489a4-842a-48f2-9fa5-7b85a1582d55
- 将令牌放入jwt.ms,它看起来有效:
{
"typ": "JWT",
"alg": "RS256",
"kid": "nbCwW11w3XkB-xUaXwKRjLjMHGQ"
}.{
"aud": "0af5e22c-1233-470f-b2a8-e47038c69524",
"iss": "https://login.microsoftonline.com/04d8c97b-25df-4533-b5fe-197f0117556c/v2.0", *//This is the ID for my Azure B2C Tenant, 'mybusinessname.onmicrosoft.com'*
"iat": 1545600536,
"nbf": 1545600536,
"exp": 1545604436,
"aio": "ATQAy/8JAAAARe1ST0VN1rzLio14LI4Y6B6VcY1nPurvB2G+FOWLjs/3QtkQdiHfRVnpgw6Ohm/2",
"name": "TestUser1",
"nonce": "ee43f038-bb35-438f-a9ca-2ca8b649dea4",
"oid": "2755d0c4-19ab-495e-9441-4ae6fe87e17a",
"preferred_username": "testUser1@mybusinessname.onmicrosoft.com",
"sub": "WcB02vJDa7vzfgWbJTY8m604eYhGosphCmr569Wc7Yc",
"tid": "04d8c97b-25df-4533-b5fe-197f0117556c",
"uti": "mC5BVa6fukuEXIVB5jJYAA",
"ver": "2.0"
}.[Signature]
- 不确定是否相关,但这是我的 MSAL 配置:
@NgModule({
imports: [
CommonModule,
MsalModule.forRoot({
clientID: '0af5e22c-1233-470f-b2a8-e47038c69524', // Azure B2C ID for my angular web client, 'mybusinessname-web-dev'.
authority: "https://login.microsoftonline.com/mybusinessname.onmicrosoft.com",
redirectUri: "https://localhost:4200/",
cacheLocation : "sessionStorage",
postLogoutRedirectUri: "https://localhost:4200/",
navigateToLoginRequestUrl: false,
unprotectedResources: ["https://localhost:4200/"],
popUp: true,
validateAuthority: false
})
感谢任何可能的帮助!
令牌与此错误无关。 问题可能出在托管服务的证书上。使用网络 tools/fiddler 将有助于了解哪个 extact call returns TLS 错误。如果获取令牌的调用正在返回它,那将是一个 B2C 问题,否则它将是托管服务的端点的问题。
你也可以关注这个TLS issues on Chrome