将 Azure Active Directory B2C 的重定向 URL 设置为 b2clogin.cnSet redirect URLs to b2clogin.cn for Azure Active Directory B2C

在 Azure Active Directory B2C (Azure AD B2C) 应用程序中设置用于注册和登录的标识提供者时,需要指定一个重定向 URL。When you set up an identity provider for sign-up and sign-in in your Azure Active Directory B2C (Azure AD B2C) application, you need to specify a redirect URL. 请不要再在应用程序和 API 中引用 login.partner.microsoftonline.cn 来对用户进行 Azure AD B2C 身份验证。You should no longer reference login.partner.microsoftonline.cn in your applications and APIs for authenticating users with Azure AD B2C. 对于所有新应用程序,应使用 b2clogin.cn,并将现有应用程序从 login.partner.microsoftonline.cn 迁移到 b2clogin.cnInstead, use b2clogin.cn for all new applications, and migrate existing applications from login.partner.microsoftonline.cn to b2clogin.cn.

弃用 login.partner.microsoftonline.cnDeprecation of login.partner.microsoftonline.cn

2020 年 10 月更新: 我们将为无法在最初宣布的弃用日期 2020 年 12 月 4 日实现弃用的租户延长宽限期。October 2020 update: We're extending a grace period for tenants who are unable to meet the originally announced deprecation date of 04 December 2020. 目前已更改为在 2021 年 1 月 14 日或以后停用 login.partner.microsoftonline.cn。Retirement of login.partner.microsoftonline.cn will now occur no earlier than 14 January 2021.

背景:我们最初于 2019 年 12 月 4 日宣布计划于 2020 年 12 月 4 日在 Azure AD B2C 中停用对 login.partner.microsoftonline.cn 的支持。Background: On 04 December 2019, we originally announced the scheduled retirement of login.partner.microsoftonline.cn support in Azure AD B2C on 04 December 2020. 这为现有租户提供了一 (1) 年时间迁移到 b2clogin.cn。This provided existing tenants one (1) year to migrate to b2clogin.cn. 2019 年 12 月 4 日后创建的新租户将不接受来自 login.partner.microsoftonline.cn 的请求。New tenants created after 04 December 2019 will not accept requests from login.partner.microsoftonline.cn. b2clogin.cn 终结点上的所有功能保持不变。All functionality remains the same on the b2clogin.cn endpoint.

弃用 login.partner.microsoftonline.cn 不会对 Azure Active Directory 租户造成影响。The deprecation of login.partner.microsoftonline.cn does not impact Azure Active Directory tenants. 该变更仅影响 Azure Active Directory B2C 租户。Only Azure Active Directory B2C tenants are affected by this change.

所涉及的终结点What endpoints does this apply to

转换为 b2clogin.cn 仅与以下终结点相关:使用 Azure AD B2C 策略(用户流或自定义策略)对用户进行身份验证的身份验证终结点。The transition to b2clogin.cn only applies to authentication endpoints that use Azure AD B2C policies (user flows or custom policies) to authenticate users. 这些终结点的 <policy-name> 参数指定 Azure AD B2C 应使用的策略。These endpoints have a <policy-name> parameter which specifies the policy Azure AD B2C should use. 详细了解 Azure AD B2C 策略Learn more about Azure AD B2C policies.

这些终结点可能如下所示:These endpoints may look like:

  • https://login.microsoft.com/<tenant-name>.partner.onmschina.cn/<policy-name>/oauth2/v2.0/authorize

  • https://login.microsoft.com/<tenant-name>.partner.onmschina.cn/<policy-name>/oauth2/v2.0/token

另外,可将 <policy-name> 作为查询参数传递:Alternatively, the <policy-name> may be passed as a query parameter:

  • https://login.microsoft.com/<tenant-name>.partner.onmschina.cn/oauth2/v2.0/authorize?p=<policy-name>
  • https://login.microsoft.com/<tenant-name>.partner.onmschina.cn/oauth2/v2.0/token?p=<policy-name>

重要

必须更新使用“策略”参数的终结点,以及标识提供者重定向 URLEndpoints that use the 'policy' parameter must be updated as well as identity provider redirect URLs.

部分 Azure AD B2C 客户使用 Azure AD 企业租户的共享功能,例如 OAuth 2.0 客户端凭据授予流。Some Azure AD B2C customers use the shared capabilities of Azure AD enterprise tenants like OAuth 2.0 client credentials grant flow. 这些功能可使用 Azure AD 的 login.partner.microsoftonline.cn 终结点(不包含策略参数)来访问。These features are accessed using Azure AD's login.partner.microsoftonline.cn endpoints, which don't contain a policy parameter. 这些终结点不受影响These endpoints are not affected.

b2clogin.cn 的优点Benefits of b2clogin.cn

如果使用 b2clogin.cn 作为重定向 URL:When you use b2clogin.cn as your redirect URL:

  • Microsoft 服务在 cookie 标头中使用的空间就会减少。Space consumed in the cookie header by Microsoft services is reduced.
  • 重定向 URL 不再需要包含对 Microsoft 的引用。Your redirect URLs no longer need to include a reference to Microsoft.
  • 自定义页面支持 JavaScript 客户端代码(目前为预览版)。JavaScript client-side code is supported (currently in preview) in customized pages. 由于安全限制,如果使用 login.partner.microsoftonline.cn,将从自定义页面中删除 JavaScript 代码和 HTML 窗体元素。Due to security restrictions, JavaScript code and HTML form elements are removed from custom pages if you use login.partner.microsoftonline.cn.

所需的更改概述Overview of required changes

若要将应用程序迁移到 b2clogin.cn,可能需要做出一些修改:There are several modifications you might need to make to migrate your applications to b2clogin.cn:

  • 将标识提供者应用程序中的重定向 URL 更改为引用 b2clogin.cnChange the redirect URL in your identity provider's applications to reference b2clogin.cn.
  • 将 Azure AD B2C 应用程序更新为在其用户流和令牌终结点引用中使用 b2clogin.cnUpdate your Azure AD B2C applications to use b2clogin.cn in their user flow and token endpoint references. 这可能包括更新对诸如 Microsoft 身份验证库 (MSAL) 之类的身份验证库的使用。This may include updating your use of an authentication library like Microsoft Authentication Library (MSAL).
  • 更新在 user interface customization 的 CORS 设置中定义的任何“允许的来源”。Update any Allowed Origins that you've defined in the CORS settings for user interface customization.

旧版终结点可能如下所示:An old endpoint may look like:

  • https://login.microsoft.com/<tenant-name>.partner.onmschina.cn/<policy-name>/oauth2/v2.0/authorize

更新后的相应终结点如下所示:A corresponding updated endpoint would look like:

  • https://<tenant-name>.b2clogin.cn/<tenant-name>.partner.onmschina.cn/<policy-name>/oauth2/v2.0/authorize

更改标识提供者重定向 URLChange identity provider redirect URLs

在创建应用程序的每个标识提供者网站上,将所有受信任 URL 更改为重定向到 your-tenant-name.b2clogin.cn 而不是 login.partner.microsoftonline.cnOn each identity provider's website in which you've created an application, change all trusted URLs to redirect to your-tenant-name.b2clogin.cn instead of login.partner.microsoftonline.cn.

对于 b2clogin.cn 重定向 URL,可以使用两种格式。There are two formats you can use for your b2clogin.cn redirect URLs. 第一个选项使用租户 ID (GUID) 来替代租户域名,其优点是无需在 URL 中的任何位置显示“Microsoft”:The first provides the benefit of not having "Microsoft" appear anywhere in the URL by using the Tenant ID (a GUID) in place of your tenant domain name:

https://{your-tenant-name}.b2clogin.cn/{your-tenant-id}/oauth2/authresp

第二个选项使用 your-tenant-name.partner.onmschina.cn 格式的租户域名。The second option uses your tenant domain name in the form of your-tenant-name.partner.onmschina.cn. 例如:For example:

https://{your-tenant-name}.b2clogin.cn/{your-tenant-name}.partner.onmschina.cn/oauth2/authresp

对于这两种格式:For both formats:

  • {your-tenant-name} 替换为 Azure AD B2C 租户的名称。Replace {your-tenant-name} with the name of your Azure AD B2C tenant.
  • 删除 /te(如果 URL 中存在此参数)。Remove /te if it exists in the URL.

更新应用程序和 APIUpdate your applications and APIs

已启用 Azure AD B2C 的应用程序和 API 中的代码可能在多个位置引用了 login.partner.microsoftonline.cnThe code in your Azure AD B2C-enabled applications and APIs may refer to login.partner.microsoftonline.cn in several places. 例如,代码可能引用了用户流和令牌终结点。For example, your code might have references to user flows and token endpoints. 请更新以下代码,以改为引用 your-tenant-name.b2clogin.cnUpdate the following to instead reference your-tenant-name.b2clogin.cn:

  • 授权终结点Authorization endpoint
  • 令牌终结点Token endpoint
  • 令牌颁发者Token issuer

例如,Contoso 注册/登录策略的机构终结点现在为:For example, the authority endpoint for Contoso's sign-up/sign-in policy would now be:

https://contosob2c.b2clogin.cn/00000000-0000-0000-0000-000000000000/B2C_1_signupsignin1

如需了解如何迁移受 Azure AD B2C 保护的 Azure API 管理 API,请参阅使用 Azure AD B2C 保护 Azure API 管理 API迁移到 b2clogin.cn 部分。For migrating Azure API Management APIs protected by Azure AD B2C, see the Migrate to b2clogin.cn section of Secure an Azure API Management API with Azure AD B2C.

Microsoft 身份验证库 (MSAL)Microsoft Authentication Library (MSAL)

MSAL.NET ValidateAuthority 属性MSAL.NET ValidateAuthority property

如果使用 MSAL.NET v2 或更低版本,请在客户端实例化中将 ValidateAuthority 属性设置为 false,以允许重定向到 b2clogin.cnIf you're using MSAL.NET v2 or earlier, set the ValidateAuthority property to false on client instantiation to allow redirects to b2clogin.cn. 在 MSAL.NET v3 和更高版本中不需要将此值设置为 falseSetting this value to false is not required for MSAL.NET v3 and above.

ConfidentialClientApplication client = new ConfidentialClientApplication(...); // Can also be PublicClientApplication
client.ValidateAuthority = false; // MSAL.NET v2 and earlier **ONLY**

MSAL for JavaScript validateAuthority 属性MSAL for JavaScript validateAuthority property

如果你使用的是 MSAL for JavaScript v 1.2.2 或更早版本,请将“validateAuthority”属性设置为 falseIf you're using MSAL for JavaScript v1.2.2 or earlier, set the validateAuthority property to false.

// MSAL.js v1.2.2 and earlier
this.clientApplication = new UserAgentApplication(
  env.auth.clientId,
  env.auth.loginAuthority,
  this.authCallback.bind(this),
  {
    validateAuthority: false // Required in MSAL.js v1.2.2 and earlier **ONLY**
  }
);

如果在 MSAL.js 1.3.0+(默认值)中设置 validateAuthority: true,则还需要使用 knownAuthorities 指定有效的令牌颁发者:If you set validateAuthority: true in MSAL.js 1.3.0+ (the default), you must also specify a valid token issuer with knownAuthorities:

// MSAL.js v1.3.0+
this.clientApplication = new UserAgentApplication(
  env.auth.clientId,
  env.auth.loginAuthority,
  this.authCallback.bind(this),
  {
    validateAuthority: true, // Supported in MSAL.js v1.3.0+
    knownAuthorities: ['tenant-name.b2clogin.cn'] // Required if validateAuthority: true
  }
);

后续步骤Next steps

如需了解如何迁移受 Azure AD B2C 保护的 Azure API 管理 API,请参阅使用 Azure AD B2C 保护 Azure API 管理 API迁移到 b2clogin.cn 部分。For migrating Azure API Management APIs protected by Azure AD B2C, see the Migrate to b2clogin.cn section of Secure an Azure API Management API with Azure AD B2C.