能否在 Azure AD B2C 自定义策略中的步骤之间传递密码声明?
[英]Can you pass password claims between steps in Azure AD B2C Custom Policies?
问题描述
Can you pass password claims between steps in Azure AD B2C Custom Policies?
能否在 Azure AD B2C 自定义策略中的步骤之间传递密码声明?
My symptom is that after signing up using a multiple page custom policy, a user cannot sign in until they reset their password.我的症状是使用多页自定义策略注册后,用户在重置密码之前无法登录。
I am asking this as I spent many hours debugging a problem that it turns out could not be fixed.我问这个是因为我花了很多时间调试一个问题,结果证明无法修复。 I found the answer under another question ( Azure AD B2C Multi steps custom policy ) that was differently worded but had similar symptoms.我在另一个问题( Azure AD B2C 多步骤自定义策略)下找到了答案,该问题措辞不同但症状相似。
I am posting here in the hope it is more easily found and helpful to others.我在这里发帖是希望它更容易找到并对其他人有帮助。 Apologies if you think this is a duplicate.如果您认为这是重复的,请道歉。
4 个解决方案
解决方案1
1 2018-12-08 15:35:56
I was looking for the same and have found a way to do multi step sign up. 我一直在寻找相同的东西,并且找到了一种进行多步骤注册的方法。 I tried several methods, including a outputclaimstransformation to store the password in another claim, but that did not work out. 我尝试了几种方法,包括使用outputclaimstransformation将密码存储在另一个声明中,但是没有解决。 Because I already needed to do some input validation against an API I found a way to also copy the password to a new claim (plaintextPassword) that is not scoped to one orchestration step. 因为我已经需要针对API进行一些输入验证,所以我找到了一种将密码也复制到新声明(plaintextPassword)的方法,该声明不适用于一个编排步骤。 This claim can be used in a later step to create the user account with the password provided by the plaintextPassword claim. 可以在以后的步骤中使用此声明,以使用由plaintextPassword声明提供的密码来创建用户帐户。
Create a self asserted technical profile that has an inputclaim (the password) and a validation technical profile. 创建一个具有输入声明(密码)和验证技术配置文件的自我声明的技术配置文件。 In the validation technical profile you can copy the password to a claim of type string with an inputclaimstransformation. 在验证技术配置文件中,您可以使用inputclaimstransformation将密码复制到字符串类型的声明。 Then add the new claim as outputclaim to the validation profile and to the technical profile. 然后将新的声明作为输出声明添加到验证配置文件和技术配置文件中。 See code below for an example: 有关示例,请参见下面的代码:
<ClaimType Id="plaintextPassword">
<DisplayName>password</DisplayName>
<DataType>string</DataType>
<UserInputType>TextBox</UserInputType>
</ClaimType>
<ClaimType Id="password">
<DisplayName>Your password</DisplayName>
<DataType>string</DataType>
<UserHelpText>Your password</UserHelpText>
<UserInputType>Password</UserInputType>
</ClaimType>
<ClaimsTransformation Id="CopyPassword" TransformationMethod="FormatStringClaim">
<InputClaims>
<InputClaim ClaimTypeReferenceId="password" TransformationClaimType="inputClaim" />
</InputClaims>
<InputParameters>
<InputParameter Id="stringFormat" DataType="string" Value="{0}" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="plaintextPassword" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
<TechnicalProfile Id="SignUp-PasswordValidation">
<DisplayName>Email signup</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">url</Item>
<Item Key="AuthenticationType">ClientCertificate</Item>
<Item Key="SendClaimsIn">Body</Item>
</Metadata>
<CryptographicKeys>
<Key Id="ClientCertificate" StorageReferenceId="B2C_1A_ClientCertificate" />
</CryptographicKeys>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="CopyPassword" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="claim_to_validate" PartnerClaimType="claim_to_validate" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="plaintextPassword" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
<TechnicalProfile Id="SignUp">
<DisplayName>Email signup</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="IpAddressClaimReferenceId">IpAddress</Item>
<Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
<Item Key="setting.retryLimit">3</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" Required="true" />
<OutputClaim ClaimTypeReferenceId="claim_to_validate" Required="true" />
<OutputClaim ClaimTypeReferenceId="password" Required="true" />
<OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="plaintextPassword" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="SignUp-Validation" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
In the technical profile where you create the user in AAD add this line: 在您在AAD中创建用户的技术资料中,添加以下行:
<PersistedClaim ClaimTypeReferenceId="plaintextPassword" PartnerClaimType="password"/>
解决方案2
0 2018-08-17 10:01:19
In short, no. 简而言之,没有。 See Azure AD B2C Multi steps custom policy . 请参阅Azure AD B2C多步骤自定义策略 。
A password claim is "scoped" to a given step.
解决方案3
0 2021-10-14 17:22:29
<TechnicalProfile Id="SignUp-PasswordValidation"> <Metadata> <Item Key="ServiceUrl">url</Item> <Item Key="AuthenticationType">ClientCertificate</Item> <Item Key="SendClaimsIn">Body</Item> </Metadata> What is the url you used? <CryptographicKeys> <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" /> </CryptographicKeys> What was you application to create the Secret?
解决方案4
0 2021-10-15 09:45:25
I was able to solve the problem.我能够解决这个问题。 When we have to add the user information (LocalAccountSignUpWithLogonEmail) I removed the validation that called the technical profile that is written in AAD, I changed it to a validation that calls another technical profile.当我们必须添加用户信息 (LocalAccountSignUpWithLogonEmail) 时,我删除了调用在 AAD 中编写的技术配置文件的验证,我将其更改为调用另一个技术配置文件的验证。 This will copy our password through a ClaimsTransformation that will save our password in another InputClaim to be visible in any other step of our flow.这将通过 ClaimsTransformation 复制我们的密码,将我们的密码保存在另一个 InputClaim 中,以便在我们流程的任何其他步骤中可见。
<ClaimType Id="plaintextPassword"> <DisplayName>password</DisplayName> <DataType>string</DataType> </ClaimType> <ClaimType Id="passwordTransformation"> <DisplayName>requestSocialRestSecondCall</DisplayName> <DataType>string</DataType> </ClaimType> <ValidationTechnicalProfiles> <ValidationTechnicalProfile ReferenceId="TransformationPassword" /> </ValidationTechnicalProfiles> <ClaimsProvider> <!-- Copy Password--> <DisplayName>Copy Password</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="TransformationPassword"> <DisplayName>Copy Pass</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <InputClaims> <InputClaim ClaimTypeReferenceId="passwordTransformation" /> </InputClaims> <OutputClaims> <OutputClaim ClaimTypeReferenceId="passwordTransformation" /> </OutputClaims> <OutputClaimsTransformations> <OutputClaimsTransformation ReferenceId="Generate_TranformationPassword" /> </OutputClaimsTransformations> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider> <ClaimsTransformation Id="Generate_TranformationPassword" TransformationMethod="CopyClaim"> <InputClaims> <InputClaim ClaimTypeReferenceId="newPassword" TransformationClaimType="inputClaim" /> </InputClaims> <OutputClaims> <OutputClaim ClaimTypeReferenceId="plaintextPassword" TransformationClaimType="outputClaim" /> </OutputClaims> </ClaimsTransformation>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.