AAD B2C 迁移 - ROPC 登录自定义策略与 Rest-API 集成和旧版 IDP - 是否支持?
[英]AAD B2C Migration - ROPC Sign In Custom Policy with Rest-API Integ with Legacy IDP - Is that supported?
问题描述
Im trying to do seamless-account-migration listed here, since our Passwords are hashed and our users are in DB, https://github.com/azure-ad-b2c/user-migration
我正在尝试执行此处列出的无缝帐户迁移,因为我们的密码已经过哈希处理,并且我们的用户在 DB 中, https://github.com/azure-ad-b2c/user-migration
We are using a mobile device and got users to migrate from an Database as part of Migration, I followed作为迁移的一部分,我们正在使用移动设备并让用户从数据库迁移,我跟着
1) ROPC Custom Policy https://docs.microsoft.com/en-us/azure/active-directory-b2c/ropc-custom?tabs=app-reg-ga 1) ROPC 自定义策略https://docs.microsoft.com/en-us/azure/active-directory-b2c/ropc-custom?tabs=app-reg-ga
2) Defined custom attributes https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes 2)定义自定义属性https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes
3) Setup a Rest-API on Legacy IDP to return migrationStatus https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-intro 3)在 Legacy IDP 上设置一个 Rest-API 以返回 migrationStatus https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-intro
However, I think the ROPC with REST-API is not supported?但是,我认为不支持带有 REST-API 的 ROPC ? because the因为
ROPC has Protocol Name="OpenIdConnect" vs ROPC 有Protocol Name="OpenIdConnect" vs
SelfAsserted-LocalAccountSignin-Email has Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" SelfAsserted-LocalAccountSignin-Email 有Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
and ran into problem of并遇到了问题
Invalid technical profile with id "ResourceOwnerPasswordCredentials-OAUTH2" only the protocol handler ""Web.TPEngine.Providers.SelfAssertedAttributeProvider"" can have a ValidationTechnicalProfile
I stumbled upon these and noticed, the seamless migration with Rest API during Sign-In does not apply for ROPC (mobile devices)?我偶然发现了这些并注意到,登录期间与Rest API的无缝迁移不适用于 ROPC(移动设备)? Is that true?真的吗?
https://docs.microsoft.com/en-us/azure/active-directory-b2c/self-asserted-technical-profile https://docs.microsoft.com/en-us/azure/active-directory-b2c/self-asserted-technical-profile
https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect-technical-profile https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect-technical-profile
Can someone tell me how do we do migration during SignIn with Rest-API interaction for ROPC grant_type ?有人可以告诉我如何在SignIn 期间使用 ROPC grant_type 的 Rest-API 交互进行迁移吗?
User Journey用户旅程
<UserJourney Id="ResourceOwnerPasswordCredentials">
<PreserveOriginalAssertion>false</PreserveOriginalAssertion>
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
and here is the SelfAsserted-LocalAccountSignin-Email Technical Profile via Self Asserted Protocol这是通过自我断言协议的SelfAsserted-LocalAccountSignin-Email技术配置文件
as I was not able to Upload ROPC Technical Profile with ValidationTechnicalProfile via OpenIdConnect Protocol as it said the error stated before,因为我无法通过OpenIdConnect协议上传带有ValidationTechnicalProfile的 ROPC 技术配置文件,因为它说前面所述的错误,
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_isMigrated" />
</OutputClaims>
<ValidationTechnicalProfiles>
<!--Add user migration validation technical profiles before login-NonInteractive -->
<!-- Populate extension_requireMigration into the claims pipeline -->
<ValidationTechnicalProfile ReferenceId="Get-requiresMigration-status-signin" ContinueOnError="false" />
<!-- If extension_requireMigration is true, call the legacy IdP via the REST API -->
<ValidationTechnicalProfile ReferenceId="REST-ValidateProfile" ContinueOnError="false">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>extension_isMigrated</Value>
<Value>True</Value>
<Action>SkipThisValidationTechnicalProfile</Action>
</Precondition>
</Preconditions>
</ValidationTechnicalProfile>
<!-- If the API returned 'tokensuccess', write the new password and unmark the account for migration -->
<ValidationTechnicalProfile ReferenceId="AAD-WritePasswordAndFlipMigratedFlag" ContinueOnError="false">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>requiresMigration</Value>
<Value>False</Value>
<Action>SkipThisValidationTechnicalProfile</Action>
</Precondition>
</Preconditions>
</ValidationTechnicalProfile>
<!-- Initiate a normal logon against Azure AD B2C -->
<ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
The ROPC Technical Profile, ResourceOwnerPasswordCredentials-OAUTH2 I tried to upload is below which failed with said error我尝试上传的 ROPC 技术配置文件ResourceOwnerPasswordCredentials-OAUTH2在下方,该配置文件因上述错误而失败
<TechnicalProfile Id="ResourceOwnerPasswordCredentials-OAUTH2">
<DisplayName>Local Account SignIn</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item>
<Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item>
<Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
<Item Key="METADATA">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>
<Item Key="response_types">id_token</Item>
<Item Key="response_mode">query</Item>
<Item Key="scope">email openid</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="logonIdentifier" PartnerClaimType="username" Required="true" DefaultValue="{OIDC:Username}" />
<InputClaim ClaimTypeReferenceId="password" Required="true" DefaultValue="{OIDC:Password}" />
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
<InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="XXXXXXXXXXXXX" />
<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="XXXXXXXXXXX" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
<OutputClaim ClaimTypeReferenceId="extension_isMigrated" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromObjectID" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
<ValidationTechnicalProfiles>
<!--Add user migration validation technical profiles before login-NonInteractive -->
<!-- Populate extension_requireMigration into the claims pipeline -->
<ValidationTechnicalProfile ReferenceId="Get-requiresMigration-status-signin" ContinueOnError="false" />
<!-- If extension_requireMigration is true, call the legacy IdP via the REST API -->
<ValidationTechnicalProfile ReferenceId="REST-ValidateProfile" ContinueOnError="false">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>extension_isMigrated</Value>
<Value>True</Value>
<Action>SkipThisValidationTechnicalProfile</Action>
</Precondition>
</Preconditions>
</ValidationTechnicalProfile>
<!-- If the API returned 'tokensuccess', write the new password and unmark the account for migration -->
<ValidationTechnicalProfile ReferenceId="AAD-WritePasswordAndFlipMigratedFlag" ContinueOnError="false">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>requiresMigration</Value>
<Value>False</Value>
<Action>SkipThisValidationTechnicalProfile</Action>
</Precondition>
</Preconditions>
</ValidationTechnicalProfile>
<!-- Initiate a normal logon against Azure AD B2C -->
<ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
1 个解决方案
解决方案1
0 2020-06-30 10:52:24
Since its an ROPC policy, it cannot contain any selfasserted flows.由于它是一个 ROPC 策略,它不能包含任何自断言流。 What you need to do is create a journey like this:您需要做的是创建这样的旅程:
Orchestration steps:编排步骤:
Step 1. Read user account using Email in B2C, output extension_requiresMigration步骤 1.在 B2C 中使用 Email 读取用户帐户,output extension_requiresMigration
Step 2. If extension_requiresMigration = True -> Call REST API to send credentials to it.步骤 2.如果 extension_requiresMigration = True -> 调用 REST API 向其发送凭据。 Return an error if the password is bad.如果密码错误,则返回错误。
Step 3. If REST API said credentials are good -> Write user password to B2C account步骤 3.如果 REST API 说凭据是好的 -> 将用户密码写入 B2C 帐户
Step 4. Run ROPC Technical profile (login-noninteractive)步骤 4.运行 ROPC Technical profile (login-noninteractive)
Step 5. Read any other information from account in AAD B2C步骤 5.从 AAD B2C 中的帐户读取任何其他信息
Step 6. Issue a token步骤 6.发行代币
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.