堆栈内存溢出
  简体   繁体   English

如何使用 Azure B2C 自定义策略在外部 IDP 登录期间传递和验证 signInEmail 声明?

[英]How to pass and validate the signInEmail claim during External IDP login using Azure B2C custom policy?

 原文  2019-11-08 20:50:28       email/ azure-ad-b2c/ idp/ validation-technical-profile/ orchestration-step

问题描述

This question is related to this one .这个问题与这个有关。

What we'd like to do is: at the moment the user clicks the button like Facebook OR Microsoft account OR Corporate AD in the Sign in page, call a validation technical profile to validate the email address the user is using to sign in.我们要做的是:当用户在登录页面点击Facebook OR Microsoft account OR Corporate AD之类的按钮时,调用验证技术配置文件来验证用户用于登录的email地址。

I tried adding an OrchestrationStep like this:我尝试像这样添加一个OrchestrationStep

<OrchestrationStep Order="4" 
  Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" 
      ExecuteActionsIf="false">
      <Value>idp</Value>
      <Value>CorporateAD</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="FetchMoreClaimsExchange" 
      TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
  </ClaimsExchanges>
</OrchestrationStep>

This is actually calling REST-ValidateSignInEmail because I see an error returned in the URL like this:这实际上是在调用REST-ValidateSignInEmail ,因为我看到 URL 中返回了一个错误,如下所示:

https://mywebsite.azurewebsites.net/#error=server_error&error_description=AADB2C%3a++is+disabled.%0d%0aCorrelation+ID%3a+bce3fd82-1111-4f17-ad99-ef7770ed8dda%0d%0aTimestamp%3a+2019-11-08+20%3a34%3a51Z%0d%0a&state=7b7c70e7-7a77-77d7-7d7e-7dd0e7b707e7 https://mywebsite.azurewebsites.net/#error=server_error&error_description=AADB2C%3a++is+disabled.%0d%0aCorrelation+ID%3a+bce3fd82-1111-4f17-ad99-ef7770ed8dda%0d%0a9Timestamp% -11-08+20%3a34%3a51Z%0d%0a&state=7b7c70e7-7a77-77d7-7d7e-7dd0e7b707e7

The message is+disabled is coming from the REST API I put together but this obviously tells me that the email\signInEmail claim it expects as a parameter is not being sent\passed.消息is+disabled来自 REST API 我放在一起,但这显然告诉我它期望作为参数的 email\signInEmail 声明没有被发送\传递。

This is the Technical Profile:这是技术简介:

<TechnicalProfile Id="REST-ValidateSignInEmail">
    <DisplayName>Validate Email</DisplayName>
    <Protocol Name="Proprietary" 
            Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
       <Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item>
       <Item Key="AuthenticationType">None</Item>
       <Item Key="SendClaimsIn">Body</Item>
    </Metadata>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" 
              PartnerClaimType="UserEmail" />
        </InputClaims>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

Can you shed some light on how to approach this?你能解释一下如何解决这个问题吗?

1 个解决方案

解决方案1
 0 已采纳  2019-11-08 21:36:51

Generally after I post the question I keep fiddling with the code.通常,在我发布问题后,我会一直摆弄代码。

Got it working like this:让它像这样工作:

<TechnicalProfile Id="REST-ValidateSignInEmail">
    <DisplayName>Validate Email</DisplayName>
    <Protocol Name="Proprietary" 
            Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
       <Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item>
       <Item Key="AuthenticationType">None</Item>
       <Item Key="SendClaimsIn">Body</Item>
    </Metadata>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" 
              PartnerClaimType="UserEmail" />
        </InputClaims>
        <InputClaim ClaimTypeReferenceId="email" 
              PartnerClaimType="UserEmail" />
        </InputClaims>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

Note that I added a new InputClaim with ClaimTypeReferenceId="email" .请注意,我添加了一个带有ClaimTypeReferenceId="email"的新InputClaim email is the claim value that is passed when using an external IDP. email是使用外部 IDP 时传递的声明值。

This sample policy showed me that I could add the OrchestrationStep right before the JwtIssuer one.这个示例策略向我展示了我可以在JwtIssuer之前添加OrchestrationStep We can also have it without any preconditions like this:我们也可以在没有任何先决条件的情况下拥有它:

<OrchestrationStep Order="7" 
   Type="ClaimsExchange">
   <ClaimsExchanges>
     <ClaimsExchange Id="REST-ValidateSignInEmail" 
       TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
   </ClaimsExchanges>
 </OrchestrationStep>

Doing so it'll get called for all IDPs.这样做会为所有 IDP 调用。

Azure Active Directory B2C: Custom CIAM User Journeys Azure Active Directory B2C:自定义 CIAM 用户旅程

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 Azure AD 中创建用户之前,是否可以使用 Azure B2C 自定义策略验证来自社会身份提供者 (iDP) 的 Email 声明? - Is it possible to validate the Email claim from Social Identity Providers (iDPs) using Azure B2C custom policy before creating a User in Azure AD? Azure B2C使用策略配置OTP参数 - Azure B2C configure OTP parameters using policies 如何使用 Azure Active Directory Graph Client 在 Azure B2C 中查找具有相同用户名\电子邮件地址的所有用户? - How to find all users with the same User name\email address in Azure B2C using Azure Active Directory Graph Client? Azure B2C 电子邮件验证模板自定义 - Azure B2C Email Validation Template Customization Azure B2C 一次性访问安全 API - Azure B2C One time access to secured API 发送Azure AD B2C欢迎电子邮件 - Send an Azure AD B2C Welcome Email Azure AD B2C电话/邮箱密码重置 - Azure AD B2C Phone/Email password reset Azure AD B2C用户导入:无法将电子邮件与用户名关联 - Azure AD B2C User Import: Can't Associate Email w/ Username 如何使用JavaMail验证登录名? - How to validate the login with JavaMail? 使用 Sendgrid 和 Azure:550,b&#39;不允许未经身份验证的发件人&#39; - Using Sendgrid and Azure : 550, b'Unauthenticated senders not allowed'
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM