Azure B2C-将查询参数接受到OAuth2 JWT中
[英]Azure B2C - Accept query params into OAuth2 JWT
问题描述
I was curious if it was possible to read query parameters when requesting an OAuth2 token through Azure? 
我很好奇,是否可以通过Azure请求OAuth2令牌时读取查询参数?
Essentially, when making a test call with a policy that I created, I would like to have an additional query parameters read from the call and the orchestration (user journey) steps should read these values and inject that value into a custom claim (for the JWT or ID token). 本质上,当使用我创建的策略进行测试调用时,我希望从调用中读取其他查询参数,并且业务流程(用户旅程)步骤应读取这些值并将该值注入到自定义声明中(对于JWT或ID令牌)。
I know from the follow links that it may* be possible with Azure B2C service? 我从以下链接中知道,Azure B2C服务是否可能*? But I can't find any good concrete examples. 但是我找不到任何好的具体例子。
Sign-up policy - Set user attributes through code 注册策略-通过代码设置用户属性
Add Custom Attribute Not Used in Sign-Up nor Edit Policy 添加未在注册或编辑策略中使用的自定义属性
How can I return the PolicyId Claim after executing my Custom SignUpSignIn policy? 执行自定义SignUpSignIn策略后如何返回PolicyId声明?
How do i include email in the redirect to AZURE AD B2C 我如何在重定向到AZURE AD B2C的电子邮件中包含电子邮件
I then proceeded in trying a bunch of configurations out but there are so many options to choose from, I don't know which to choose. 然后,我尝试了一系列配置,但是有太多选择可供选择,我不知道该选择哪个。 In addition, I haven't been able to find any Azure docs that describe the options used when configuring these policies. 此外,我找不到任何描述配置这些策略时使用的选项的Azure文档。 In any case, here is what I have. 无论如何,这就是我所拥有的。
I downloaded the TrustFrameworkBase.xml and TrustFrameworkExtensions.xml from here . 我从此处下载了TrustFrameworkBase.xml和TrustFrameworkExtensions.xml。 I got this Github link from this Azure doc , which I also followed the steps on setting up policy keys and added an app registration with delegated permissions. 我从此Azure文档获得了Github链接,我也按照设置策略密钥的步骤进行操作,并添加了具有委派权限的应用程序注册。 For my relying party configuration, I simply made a custom policy through the Azure B2C portal and downloaded it as a starting point to explore what it looks like in a basic form. 对于我的依赖方配置,我只是通过Azure B2C门户制定了自定义策略,并将其下载为起点,以基本形式探索了它的外观。
Here is my custom claim added to the base policy within the ClaimsSchema tag. 这是我的自定义声明,已添加到ClaimsSchema标记内的基本策略中。 extension_Test is the claim where I want to inject the value from a query param: extension_Test是我想从查询参数中注入值的声明:
<ClaimType Id="extension_Test">
<DisplayName>Test value</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="extension_Test" />
<Protocol Name="OpenIdConnect" PartnerClaimType="extension_Test" />
</DefaultPartnerClaimTypes>
<UserInputType>Readonly</UserInputType>
</ClaimType>
</ClaimsSchema>
In the same base policy, here's the userjourney that I added for SignIn: 在相同的基本策略中,这是我为登录添加的userjourney:
<UserJourney Id="SignIn">
<OrchestrationSteps>
<OrchestrationSteps>
<!-- The following orchestration step is always executed. -->
<OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselection.signupsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountRegistrationExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountRegistrationExchange" TechnicalProfileReferenceId="LocalAccount-Registration-VerifiedEmail" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
Here's my relying config XML: 这是我依赖的配置XML:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_Test" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="extension_Test" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
I think uploaded the base, extensions and RP policies XML files in that order. 我认为按此顺序上载了基本,扩展和RP策略XML文件。 The GET request that I'm sending looking like this (got from the "Run now" button for the custom policy): 我正在发送的GET请求如下所示(从自定义策略的“立即运行”按钮中获取):
https://login.microsoftonline.com/<TENANT>/oauth2/v2.0/authorize?p=B2C_1A_test&client_id=<TENANTID>&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect&scope=openid&response_type=id_token&prompt=login&extension_Test=aaa
Any help would be greatly appreciated, thanks! 任何帮助将不胜感激,谢谢! Or Azure documents that explain more options within these config files - as in what does CpimIssuerTechnicalProfileReferenceId="JwtIssuer" mean? 还是说明这些配置文件中更多选项的Azure文档-如CpimIssuerTechnicalProfileReferenceId =“ JwtIssuer”是什么意思? Or AzureFunction-WrapWebHook mean? 还是AzureFunction-WrapWebHook是什么意思?
1 个解决方案
解决方案1
4 已采纳 2018-02-02 02:11:58
You are close. 你近了
An end-to-end example of inputting a claim to a journey, and then using it in this journey (eg pre-conditions or storage) as well as outputting it from the journey, can be found in this "Implementing an invitation flow" document (which I was author of). 在此“实施邀请流程”中可以找到一个端到端示例,该示例输入了对旅程的声明,然后在旅程中使用它(例如,前提条件或存储),然后从旅程中输出它。 文档 (我是作者)。
The high-level solution is: 高层解决方案是:
1) At design-time, configure the relying party policy with the input claim. 1)在设计时,使用输入的声明配置依赖方策略。
<RelyingParty>
<DefaultUserJourney ReferenceId="SignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<InputTokenFormat>JWT</InputTokenFormat>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_MySharedSecret" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_Test" />
</InputClaims>
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="extension_Test" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
You must create a policy key (in the above example, this is called "MySharedSecret", but it can be called anything) containing a shared secret that is known to the application that is invoking this policy (where the client secret for this application can be this shared secret). 您必须创建一个策略密钥(在上面的示例中,它称为“ MySharedSecret”,但可以称为任何东西),其中包含调用此策略的应用程序已知的共享机密(该应用程序的客户端机密可以在其中)这是共享的秘密)。
2) At runtime, create a self-issued JWT containing the input claim, sign this JWT with the shared secret, and then add the JWT to the authentication request using the "client_assertion_type" and "client_assertion" parameters. 2)在运行时,创建一个包含输入声明的自发行JWT,使用共享密钥对此JWT签名,然后使用“ client_assertion_type”和“ client_assertion”参数将JWT添加到身份验证请求中。
The code example for this can be found in the Wingtip sample . 可以在Wingtip示例中找到此代码示例 。
An example of the authentication request is: 身份验证请求的示例是:
https://login.microsoftonline.com/b2ctechready.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1a_invitation&...&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGci...7m9s&state=CfDJ8EPk...Et0w
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.