错误70001尝试使用自定义Identity Experience Framework策略以Azure AD B2C用户身份登录
[英]Error 70001 trying to sign in as Azure AD B2C user with custom Identity Experience Framework policy
问题描述
We have a Web App secured with Azure AD B2C using custom Identity Experience Framework policies to allow users to register and sign in with social identities (Microsoft, Google, Facebook), or with an identity from another federated Azure AD instance, or with 'local' Email / Password accounts. 
我们拥有一个使用自定义Identity Experience Framework策略通过Azure AD B2C保护的Web应用程序,以允许用户使用社交身份(Microsoft,Google,Facebook),另一个联邦Azure AD实例的身份或“本地”身份进行注册和登录。电子邮件/密码帐户。
All the social accounts and the Federated AD work correctly. 所有的社交帐户和联合广告都能正常运行。 Sign up and sign in with Email/Password was working correctly, but we are now experiencing an error. 注册并使用“电子邮件/密码”登录正常,但现在遇到错误。 We haven't knowingly made any changes to our Email/Password configuration since this was last known to be working, so we're not sure how this has happened. 自从上次已知可以正常工作以来,我们没有对我们的电子邮件/密码配置进行任何更改,因此我们不确定这是如何发生的。
The issue is: Sign Up with a new Email Address works correctly, and after the process completes, the user is correctly logged-in, and their account appears in the directory. 问题是:使用新的电子邮件地址注册可以正常工作,并且在该过程完成之后,用户可以正确登录,并且其帐户显示在目录中。 If the user signs out, however, then any attempt to sign back in again fails: 但是,如果用户退出,则任何重新登录的尝试都会失败:
(Email address shown is not the actual one. Error has been repeated by multiple users with new and old email/password combinations.) (显示的电子邮件地址不是实际的电子邮件地址。使用新的和旧的电子邮件/密码组合的多个用户重复了此错误。)
Digging into the portal, the underlying error is revealed as: 深入门户网站,潜在的错误显示为:
70001 The application named X was not found in the tenant named Y. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.
This error appears sometimes to be related to a failure to grant permissions to an application in the portal. 该错误有时似乎与向门户网站中的应用程序授予权限失败有关。 We have tried removing and reinstating all permissions, and re-granting permissions. 我们尝试删除并恢复所有权限,然后重新授予权限。 This has not solved the issue. 这还没有解决问题。
Does anyone know what could be causing this issue, and in particular why sign up / sign in works correctly, but returning sign in does not? 有谁知道可能导致此问题的原因,尤其是为什么注册/登录可以正常工作,而返回登录却不起作用?
UPDATE: 更新:
Just to confirm that we have the IEF and Proxy IEF apps configured in the AD directory: 只是为了确认我们在AD目录中配置了IEF和Proxy IEF应用程序:
And we have the login-NonInteractive technical profile configured in TrustFrameworkExtensions.xml: 我们在TrustFrameworkExtensions.xml中配置了login-NonInteractive技术配置文件:
Having wired up Application Insights (following these instructions https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-troubleshoot-custom ), we're able to get to this more detailed error: 连接了Application Insights之后(按照这些说明https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-troubleshoot-custom ),我们可以做到这一点。更详细的错误:
AADSTS70001: Application with identifier 'ProxyIdentityExperienceFrameworkAppID' was not found in the directory weapageengine.onmicrosoft.com
The only place 'ProxyIdentityExperienceFrameworkAppID' appears in any of our custom policies is shown in the XML snipped above, but this seems correct as per the documentation here: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/3b4898fec3bf0014b320beffa6eb52ad68eb6111/SocialAndLocalAccounts/TrustFrameworkExtensions.xml#L38 - unless we are meant to update those 'DefaultValue' attributes as well? 上面的XML片段显示了在我们的任何自定义策略中唯一出现的“ ProxyIdentityExperienceFrameworkAppID”,但根据此处的文档,这似乎是正确的: https : //github.com/Azure-Samples/active-directory-b2c-custom -policy-starterpack / blob / 3b4898fec3bf0014b320beffa6eb52ad68eb6111 / SocialAndLocalAccounts / TrustFrameworkExtensions.xml#L38-除非我们也打算更新这些“ DefaultValue”属性?
Resolution: As per the answer below, it is necessary to update both the Metadata and the default values with the relevant app ids. 解决方案:按照下面的答案,有必要使用相关的应用程序ID更新元数据和默认值。 Worth noting that in the GitHub sample https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/3b4898fec3bf0014b320beffa6eb52ad68eb6111/SocialAndLocalAccounts/TrustFrameworkExtensions.xml#L38 the boilerplate values are differently cased, leading to our missing one in a replace-all: 值得注意的是,在GitHub示例https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/3b4898fec3bf0014b320beffa6eb52ad68eb6111/SocialAndLocalAccounts/TrustFrameworkExtensions.xml#L38中 ,样板前导值大小写不同替换掉我们丢失的一个:
1 个解决方案
解决方案1
3 已采纳 2018-04-07 00:33:31
The local account sign-in authenticates the end user against the Azure AD B2C directory and then reads the user object from it. 本地帐户登录针对Azure AD B2C目录对最终用户进行身份验证,然后从中读取用户对象。
The local account sign-up and the social account sign-in do not authenticate the end user against the Azure AD B2C directory. 本地帐户注册和社交帐户登录不会针对Azure AD B2C目录对最终用户进行身份验证。 The local account sign-up writes the user object to it. 本地帐户注册将用户对象写入其中。 The social account sign-in delegates authentication to the social identity provider and then either writes the user object to the Azure AD B2C directory if the user object does not exist or reads the user object from the Azure AD B2C directory if the user object does exist. 社交帐户登录将身份验证委派给社交身份提供者,然后如果用户对象不存在,则将用户对象写入Azure AD B2C目录,或者如果用户对象确实存在,则从Azure AD B2C目录读取用户对象。
To enable authentication of the end user by the local account sign-in against the Azure AD B2C directory, you must add the Identity Experience Framework applications to the Azure AD B2C directory and then configure these IEF applications with the login-NonInteractive technical profile . 若要通过本地帐户登录针对Azure AD B2C目录来对最终用户进行身份验证,必须将Identity Experience Framework应用程序添加到Azure AD B2C目录中 ,然后使用login-NonInteractive技术配置文件配置这些IEF应用程序 。
The local account sign-up and the social account sign-in do not require these applications. 本地帐户注册和社交帐户登录不需要这些应用程序。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.