[英]How to pass and validate the signInEmail claim during External IDP login using Azure B2C custom policy?
This question is related to this one .这个问题与这个有关。
What we'd like to do is: at the moment the user clicks the button like Facebook
OR Microsoft account
OR Corporate AD
in the Sign in page, call a validation technical profile to validate the email
address the user is using to sign in.我们要做的是:当用户在登录页面点击Facebook
OR Microsoft account
OR Corporate AD
之类的按钮时,调用验证技术配置文件来验证用户用于登录的email
地址。
I tried adding an OrchestrationStep
like this:我尝试像这样添加一个OrchestrationStep
:
<OrchestrationStep Order="4"
Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals"
ExecuteActionsIf="false">
<Value>idp</Value>
<Value>CorporateAD</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="FetchMoreClaimsExchange"
TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
</ClaimsExchanges>
</OrchestrationStep>
This is actually calling REST-ValidateSignInEmail
because I see an error returned in the URL like this:这实际上是在调用REST-ValidateSignInEmail
,因为我看到 URL 中返回了一个错误,如下所示:
https://mywebsite.azurewebsites.net/#error=server_error&error_description=AADB2C%3a++is+disabled.%0d%0aCorrelation+ID%3a+bce3fd82-1111-4f17-ad99-ef7770ed8dda%0d%0aTimestamp%3a+2019-11-08+20%3a34%3a51Z%0d%0a&state=7b7c70e7-7a77-77d7-7d7e-7dd0e7b707e7 https://mywebsite.azurewebsites.net/#error=server_error&error_description=AADB2C%3a++is+disabled.%0d%0aCorrelation+ID%3a+bce3fd82-1111-4f17-ad99-ef7770ed8dda%0d%0a9Timestamp% -11-08+20%3a34%3a51Z%0d%0a&state=7b7c70e7-7a77-77d7-7d7e-7dd0e7b707e7
The message is+disabled
is coming from the REST API I put together but this obviously tells me that the email\signInEmail claim it expects as a parameter is not being sent\passed.消息is+disabled
来自 REST API 我放在一起,但这显然告诉我它期望作为参数的 email\signInEmail 声明没有被发送\传递。
This is the Technical Profile:这是技术简介:
<TechnicalProfile Id="REST-ValidateSignInEmail">
<DisplayName>Validate Email</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item>
<Item Key="AuthenticationType">None</Item>
<Item Key="SendClaimsIn">Body</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName"
PartnerClaimType="UserEmail" />
</InputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
Can you shed some light on how to approach this?你能解释一下如何解决这个问题吗?
Generally after I post the question I keep fiddling with the code.通常,在我发布问题后,我会一直摆弄代码。
Got it working like this:让它像这样工作:
<TechnicalProfile Id="REST-ValidateSignInEmail">
<DisplayName>Validate Email</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item>
<Item Key="AuthenticationType">None</Item>
<Item Key="SendClaimsIn">Body</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName"
PartnerClaimType="UserEmail" />
</InputClaims>
<InputClaim ClaimTypeReferenceId="email"
PartnerClaimType="UserEmail" />
</InputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
Note that I added a new InputClaim
with ClaimTypeReferenceId="email"
.请注意,我添加了一个带有ClaimTypeReferenceId="email"
的新InputClaim
。 email
is the claim value that is passed when using an external IDP. email
是使用外部 IDP 时传递的声明值。
This sample policy showed me that I could add the OrchestrationStep
right before the JwtIssuer
one.这个示例策略向我展示了我可以在JwtIssuer
之前添加OrchestrationStep
。 We can also have it without any preconditions like this:我们也可以在没有任何先决条件的情况下拥有它:
<OrchestrationStep Order="7"
Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="REST-ValidateSignInEmail"
TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
</ClaimsExchanges>
</OrchestrationStep>
Doing so it'll get called for all IDPs.这样做会为所有 IDP 调用。
Azure Active Directory B2C: Custom CIAM User Journeys Azure Active Directory B2C:自定义 CIAM 用户旅程
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.