堆栈内存溢出
  简体   繁体   English

如何在 Azure B2C 密码更改自定义策略中添加 email 声明

[英]How to add email claim in Azure B2C password change custom policy

 原文  2020-07-30 04:14:58       azure/ azure-active-directory/ azure-ad-b2c

问题描述

I'm using a custom policy to reset the password.我正在使用自定义策略来重置密码。 The policy is taken from here Custom Policy该政策取自此处自定义政策

unlike other policies.不同于其他政策。 I can't get the user email to the token, with this policy.使用此策略,我无法让用户 email 获得令牌。 I tried adding the output claims as added in other policy files.我尝试添加其他策略文件中添加的 output 声明。 (Sign in or sign up). (登录或注册)。 But the email is not in the token.但是 email 不在令牌中。

I saw some questions about adding the claim, but none of them worked.我看到了一些关于添加声明的问题,但没有一个有效。 What I'm doing wrong.我做错了什么。 Can anyone help me with this?谁能帮我这个?

Here attached my policy files.这里附上了我的政策文件。

B2C_1A_profile_edit_password_change.xml B2C_1A_profile_edit_password_change.xml

<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="tenant.onmicrosoft.com" PolicyId="B2C_1A_profile_edit_password_change" PublicPolicyUri="http://noviraldev.onmicrosoft.com/B2C_1A_profile_edit_password_change" TenantObjectId="f0caf792-6088-4f52-b07c-21041799686c">
  <BasePolicy>
    <TenantId>tenant.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
  </BasePolicy>
  <RelyingParty>
    <DefaultUserJourney ReferenceId="PasswordChange" />
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

B2C_1A_TrustFrameworkExtensions.xml B2C_1A_TrustFrameworkExtensions.xml

<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="tenant.onmicrosoft.com" PolicyId="B2C_1A_TrustFrameworkExtensions" PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions" TenantObjectId="f0caf792-6088-4f52-b07c-21041799686c">
  <BasePolicy>
    <TenantId>tenant.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>
  </BasePolicy>
  <BuildingBlocks>
    <ClaimsSchema>
      <ClaimType Id="oldPassword">
        <DisplayName>Old Password</DisplayName>
        <DataType>string</DataType>
        <UserHelpText>Enter password</UserHelpText>
        <UserInputType>Password</UserInputType>
      </ClaimType>
    </ClaimsSchema>
  </BuildingBlocks>
  <ClaimsProviders>
    <ClaimsProvider>
      <DisplayName>Local Account SignIn</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="login-NonInteractive">
          <Metadata>
            <Item Key="client_id">53e477b7-b9cb-4443-be98-6089c52b57dc</Item>
            <Item Key="IdTokenAudience">e6ccbd4f-7897-4485-9971-eac4769d90c1</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="53e477b7-b9cb-4443-be98-6089c52b57dc" />
            <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="e6ccbd4f-7897-4485-9971-eac4769d90c1" />
          </InputClaims>
        </TechnicalProfile>
        <TechnicalProfile Id="login-NonInteractive-PasswordChange">
          <DisplayName>Local Account SignIn</DisplayName>
          <Protocol Name="OpenIdConnect" />
          <Metadata>
            <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item>
            <Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item>
            <Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item>
            <Item Key="ProviderName">https://sts.windows.net/</Item>
            <Item Key="METADATA">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>
            <Item Key="authorization_endpoint">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>
            <Item Key="response_types">id_token</Item>
            <Item Key="response_mode">query</Item>
            <Item Key="scope">email openid</Item>
            <Item Key="UsePolicyInRedirectUri">false</Item>
            <Item Key="HttpBinding">POST</Item>
            <Item Key="client_id">53e477b7-b9cb-4343-be98-6089c52b57dc</Item>
            <Item Key="IdTokenAudience">e6ccbd4f-7897-4385-9971-eac4769d90c1</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />
            <InputClaim ClaimTypeReferenceId="oldPassword" PartnerClaimType="password" Required="true" />
            <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
            <InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
            <InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
            <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="53e477b7-b9cb-4443-be98-6089c52b57dc" />
            <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="e6ccbd4f-7897-4485-9971-eac4769d90c1" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
            <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" />
            <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
            <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
            <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
            <OutputClaim ClaimTypeReferenceId="isNewUser" PartnerClaimType="extension_IsNewUser" />
            <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
          </OutputClaims>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
    <ClaimsProvider>
      <DisplayName>Local Account Password Change</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="LocalAccountWritePasswordChangeUsingObjectId">
          <DisplayName>Change password (username)</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
          </CryptographicKeys>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="objectId" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="oldPassword" Required="true" />
            <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
            <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
          </OutputClaims>
          <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="login-NonInteractive-PasswordChange" />
            <ValidationTechnicalProfile ReferenceId="AAD-UserWritePasswordUsingObjectId" />
          </ValidationTechnicalProfiles>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
  </ClaimsProviders>
  <UserJourneys>
    <UserJourney Id="PasswordChange">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninEmailExchange" />
          </ClaimsProviderSelections>
        </OrchestrationStep>
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>
  </UserJourneys>
</TrustFrameworkPolicy>

1 个解决方案

解决方案1
 0  2020-07-30 13:46:39

In the OrchestrationStep Order="3" or in Order="5" add the technical Profile "AAD-UserReadUsingObjectID", this will help in getting the details of logged-in user like emailAddress, givenName, etc.在 OrchestrationStep Order="3" 或 Order="5" 中添加技术配置文件“AAD-UserReadUsingObjectID”,这将有助于获取登录用户的详细信息,如 emailAddress、givenName 等。

<TechnicalProfile Id="AAD-UserReadUsingObjectId">
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
      </InputClaims>
      <OutputClaims>

        <!-- Optional claims -->
        <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="otherMails" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>

and then in the Relying Party add below line:然后在依赖方中添加以下行:

    <OutputClaim ClaimTypeReferenceId="signInName" />

or或者

    <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress"/>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure B2C - 自定义策略 - 密码更改 - Azure B2C - Custom Policy - Password Change Azure B2C自定义策略中的自定义角色声明 - Custom role claim in Azure B2C Custom Policy Azure B2C自定义策略引入新主张 - Azure B2C Custom Policy Introduce New claim 在 Azure B2C 的自定义政策中找不到声明 - Saml - Claim not found in custom policy for Azure B2C - Saml 如何使用Azure B2C自定义策略支持OpenID Connect标准地址(JSON)声明? - How to support OpenID Connect standard address (JSON) claim with Azure B2C custom policy? 更改在 azure b2c 中收到的用于验证 email 的默认 email 的内容 - 自定义策略 - Change content of the default email received for validation email in azure b2c - custom policy Azure AD B2C 密码更改自定义策略,用户每次都需要登录 - Azure AD B2C password change custom policy, user needs to sign in every time Azure B2C:自定义声明未通过自定义策略写入 AAD - Azure B2C: Custom claim isn't written into AAD via custom policy 在自定义策略中更改 azure ad b2c 的背景图像 - Change Background image of azure ad b2c in custom policy 完成忘记密码后,Azure 自定义策略 B2c 如何重定向到注册页面? - Azure custom policy B2c after completing forgot password how to redirect to signup page?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM