尝试使用 Cognito 向 Battle.net OIDC 进行身份验证时,错误的 id_token 发行者
Bad id_token issuer when trying to authenticate with Battle.net OIDC with Cognito
过去几天我一直在尝试设置 Cognito 以使用 Battle.net OIDC。我相信我大部分时间都在那里。我可以看到使用 cognito 托管 UI 它可以正确验证但随后失败,大概是在尝试检索令牌。
Cognito 托管的第一个请求 UI:
https://<removed>.auth.us-west-2.amazoncognito.com/oauth2/authorize?identity_provider=Blizzard&redirect_uri=https://<my-site-oauth-handler-removed>/oauth&response_type=CODE&client_id=<removed>&scope=openid
然后下一个请求是 Battle.net OIDC 预期的:
https://us.battle.net/oauth/authorize?client_id=<removed>&redirect_uri=https%3A%2F%2F<removed>.auth.us-west-2.amazoncognito.com%2Foauth2%2Fidpresponse&scope=openid&response_type=code&state=<removed>
然后将代码传递到 cognito idpresponse:
https://<removed>.auth.us-west-2.amazoncognito.com/oauth2/idpresponse?code=<removed>&state=<removed>
在这一点上,如果我的理解是正确的,cognito 应该尝试到达 battle.net /oath/token 端点,然后 return id_token 和 access_token到我的redirect_url。它是 cognito 而不是 return 对我的 url:
的错误
https://<my-site-oauth-handler-removed>/oauth?error_description=Bad+id_token+issuer+oauth.battle.net&error=invalid_request
从缺少 Battle.net OIDC 的文档来看,我可能是少数尝试将 battle.net OIDC 与 Cognito 结合使用的人之一。这很可能是他们实施中的一个错误,但我尽量不跳到那个结论。
我现在最好的猜测是我没有正确配置 Cognito 来发出令牌 POST 请求。 It needs to use Basic Authentication 与 clientid:password 但我无法验证它是否正确地执行此操作,因为它被抽象化了。
无论如何,当我通过我的应用程序发出请求时(使用放大打开托管 UI),它会 return 但具有以下内容:
[ERROR] 51:05.25 OAuth - Error handling auth response. Error: Bad+id_token+issuer+oauth.battle.net
at OAuth.<anonymous> (OAuth.js:202)
at step (OAuth.js:52)
at Object.next (OAuth.js:33)
at OAuth.js:27
at tryCallTwo (core.js:45)
at doResolve (core.js:200)
at new Promise (core.js:66)
at __awaiter (OAuth.js:23)
at OAuth.handleAuthResponse (OAuth.js:181)
at AuthClass.<anonymous> (Auth.js:1632)
这是我所有相关的 Cognito 配置:
OIDC 提供商:
- 提供商名称:暴雪
- 客户端 ID:[已删除]
- 客户端密码:[已删除]
- 属性请求方式:POST
- 授权范围:openid
- 发行人:https://us.battle.net/oauth
应用客户端:
- 姓名:[已删除]
- 应用程序客户端 ID:[已删除]
- 应用程序客户端密码:(无密钥)
应用客户端设置:
- 启用的身份提供商:暴雪
- 回调URL秒:https://[removed]/oauth
注销 URLs: https://[removed]/oauth
允许的 OAuth 流程:
- 授权码授予
- 隐式授权
- 允许的 OAuth 范围
- 电子邮件
- openid
- aws.cognito.signin.user.admin
- 简介
- (我已经尝试了这些的所有变体,但似乎并没有改变结果)
联合身份:
- 身份验证提供商
- OpenID
- us.battle.net/oauth
IAM 身份提供商:
- 提供商名称:us.battle.net/oauth
- 提供商类型:OIDC
- 供应商URL:us.battle.net/oauth
- CA 指纹:[已删除]
- 观众:[我的 battle.net 客户 ID]
我已经用尽了自己的资源,正在寻求任何指导。
谢谢!
这是由于暴雪从其众所周知的端点发行令牌,但将 iss 字段设置为 oauth.battle.net,这导致 Cognito(或任何其他令牌验证)失败,因此出现错误消息
Bad+id_token+issuer+oauth.battle.net
我在 Discord 中将此问题提交给了他们的 API 团队,根据发给开发人员的电子邮件,他们将在 11 月 25 日发布修复程序。
Dear community developer,
Earlier this year, we introduced a new OAuth discovery endpoint which
implements the OpenID Connect discovery specification. We would like
to deploy a change to the issuer field iss of the id_token during the
OpenID authorization flow from oauth.battle.net to the issuer that is
returned by the well-known configuration endpoint JSON response. This
would be a potential breaking change to some of the OAuth OIDC clients
but it conforms to the OpenID connect specification:
https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier
Your OAuth client application was identified as one that could be
affected by this change.
We are planning to release this change on November 25, 2019.
Here are the steps that you can take to ensure your OpenID Connect
client will continue working after the change:
Navigate to one of the well-known configuration endpoints below which
corresponds to the region where your client application operates and
check the "issuer" field.
If the issuer field matches the configured issuer for your OAuth OIDC
client then your client is compatible and you are already compliant
and do not need to make any changes.
If the issuer field from the well-known configuration endpoint is
different than the issuer set in your client configuration, please
change the issuer to match the well-known configuration endpoint.
If your client supports the OpenID discovery endpoint standard, you
can configure it to read all necessary settings from the well-known
configuration endpoint. Your OAuth client should self-configure.
过去几天我一直在尝试设置 Cognito 以使用 Battle.net OIDC。我相信我大部分时间都在那里。我可以看到使用 cognito 托管 UI 它可以正确验证但随后失败,大概是在尝试检索令牌。
Cognito 托管的第一个请求 UI:
https://<removed>.auth.us-west-2.amazoncognito.com/oauth2/authorize?identity_provider=Blizzard&redirect_uri=https://<my-site-oauth-handler-removed>/oauth&response_type=CODE&client_id=<removed>&scope=openid
然后下一个请求是 Battle.net OIDC 预期的:
https://us.battle.net/oauth/authorize?client_id=<removed>&redirect_uri=https%3A%2F%2F<removed>.auth.us-west-2.amazoncognito.com%2Foauth2%2Fidpresponse&scope=openid&response_type=code&state=<removed>
然后将代码传递到 cognito idpresponse:
https://<removed>.auth.us-west-2.amazoncognito.com/oauth2/idpresponse?code=<removed>&state=<removed>
在这一点上,如果我的理解是正确的,cognito 应该尝试到达 battle.net /oath/token 端点,然后 return id_token 和 access_token到我的redirect_url。它是 cognito 而不是 return 对我的 url:
https://<my-site-oauth-handler-removed>/oauth?error_description=Bad+id_token+issuer+oauth.battle.net&error=invalid_request
从缺少 Battle.net OIDC 的文档来看,我可能是少数尝试将 battle.net OIDC 与 Cognito 结合使用的人之一。这很可能是他们实施中的一个错误,但我尽量不跳到那个结论。
我现在最好的猜测是我没有正确配置 Cognito 来发出令牌 POST 请求。 It needs to use Basic Authentication 与 clientid:password 但我无法验证它是否正确地执行此操作,因为它被抽象化了。
无论如何,当我通过我的应用程序发出请求时(使用放大打开托管 UI),它会 return 但具有以下内容:
[ERROR] 51:05.25 OAuth - Error handling auth response. Error: Bad+id_token+issuer+oauth.battle.net
at OAuth.<anonymous> (OAuth.js:202)
at step (OAuth.js:52)
at Object.next (OAuth.js:33)
at OAuth.js:27
at tryCallTwo (core.js:45)
at doResolve (core.js:200)
at new Promise (core.js:66)
at __awaiter (OAuth.js:23)
at OAuth.handleAuthResponse (OAuth.js:181)
at AuthClass.<anonymous> (Auth.js:1632)
这是我所有相关的 Cognito 配置:
OIDC 提供商:
- 提供商名称:暴雪
- 客户端 ID:[已删除]
- 客户端密码:[已删除]
- 属性请求方式:POST
- 授权范围:openid
- 发行人:https://us.battle.net/oauth
应用客户端:
- 姓名:[已删除]
- 应用程序客户端 ID:[已删除]
- 应用程序客户端密码:(无密钥)
应用客户端设置:
- 启用的身份提供商:暴雪
- 回调URL秒:https://[removed]/oauth
注销 URLs: https://[removed]/oauth
允许的 OAuth 流程:
- 授权码授予
- 隐式授权
- 允许的 OAuth 范围
- 电子邮件
- openid
- aws.cognito.signin.user.admin
- 简介
- (我已经尝试了这些的所有变体,但似乎并没有改变结果)
联合身份:
- 身份验证提供商
- OpenID
- us.battle.net/oauth
- OpenID
IAM 身份提供商:
- 提供商名称:us.battle.net/oauth
- 提供商类型:OIDC
- 供应商URL:us.battle.net/oauth
- CA 指纹:[已删除]
- 观众:[我的 battle.net 客户 ID]
我已经用尽了自己的资源,正在寻求任何指导。
谢谢!
这是由于暴雪从其众所周知的端点发行令牌,但将 iss 字段设置为 oauth.battle.net,这导致 Cognito(或任何其他令牌验证)失败,因此出现错误消息
Bad+id_token+issuer+oauth.battle.net
我在 Discord 中将此问题提交给了他们的 API 团队,根据发给开发人员的电子邮件,他们将在 11 月 25 日发布修复程序。
Dear community developer,
Earlier this year, we introduced a new OAuth discovery endpoint which implements the OpenID Connect discovery specification. We would like to deploy a change to the issuer field iss of the id_token during the OpenID authorization flow from oauth.battle.net to the issuer that is returned by the well-known configuration endpoint JSON response. This would be a potential breaking change to some of the OAuth OIDC clients but it conforms to the OpenID connect specification: https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier
Your OAuth client application was identified as one that could be affected by this change.
We are planning to release this change on November 25, 2019.
Here are the steps that you can take to ensure your OpenID Connect client will continue working after the change:
Navigate to one of the well-known configuration endpoints below which corresponds to the region where your client application operates and check the "issuer" field.
If the issuer field matches the configured issuer for your OAuth OIDC client then your client is compatible and you are already compliant and do not need to make any changes.
If the issuer field from the well-known configuration endpoint is different than the issuer set in your client configuration, please change the issuer to match the well-known configuration endpoint.
If your client supports the OpenID discovery endpoint standard, you can configure it to read all necessary settings from the well-known configuration endpoint. Your OAuth client should self-configure.