Azure B2C 在 Xamarin 上登录
[英]Azure B2C Login on Xamarin forms app with Face/TouchId/Fingerprint/Keychain integration with API
问题描述
We are using Azure B2C for login/authentication of our users.
我们正在使用 Azure B2C 来登录/验证我们的用户。 This works fine on our website (social and email login etc).这在我们的网站上运行良好(社交和 email 登录等)。 Our mobile app is built in Xamarin forms and we are trying to build a native login experience (using native app controls vs. a web view within the app that B2C presents) that integrates natively with the device biometrics for login (FaceId, TouchId, fingerprint login).我们的移动应用程序内置于 Xamarin forms 中,我们正在尝试构建原生登录体验(使用原生应用程序控件与 web 视图集成在应用程序中,用于 B2C 提供的用于指纹登录的原生 ID)(F登录)。 As you can imagine, doing this in the webview that Azure B2C requires doesn't allow a native login experience.可以想象,在 Azure B2C 所需的 webview 中执行此操作不允许本机登录体验。 The overall goal here is 2 fold:这里的总体目标是 2 倍:
- Build a native login experience构建原生登录体验
- Integrate with biometrics.与生物识别技术集成。
Question :问题:
- Does Azure B2C have an API that enables this, especially so we can use authorization code flow without a UI. Azure B2C 是否具有启用此功能的 API,尤其是我们可以在没有 UI 的情况下使用授权代码流。 ROPC exists but does it integrate with social accounts too? ROPC存在,但它是否也与社交账户集成?
- If not, is there a way to integrate biometric login with Azure B2C on mobile when the login screen is presented in a webview?如果没有,当登录屏幕显示在 webview 中时,是否有办法将生物识别登录与移动设备上的 Azure B2C 集成? So that when the B2C login page in the webview is presented, a user can login with touch/faceId and save that information to they keychain (on iOS and the equivalent on Android)这样当 webview 中的 B2C 登录页面出现时,用户可以使用 touch/faceId 登录并将该信息保存到他们的钥匙串(在 iOS 和 Android 上的等效项)
1 个解决方案
解决方案1
0 2021-06-16 11:52:50
You need to use Webviews, and you can enable Biometric integration with webview type experience.您需要使用 Webviews,并且可以启用与 webview 类型体验的生物识别集成。
You cannot integrate any service with Social Accounts and ROPC.
您不能将任何服务与社交帐户和 ROPC 集成。 Any integration with Social IdPs will need a webview.与社交 IdP 的任何集成都需要 webview。Yes, enable Keep Me Signed In for long lived sessions.
是的,为长期会话启用保持登录状态。 Wrap the biometric code around the acquireTokenSilent() methods.将生物识别代码包裹在 acquireTokenSilent() 方法周围。
Then you have two options:然后你有两个选择:
You can hide the KMSI button, and use JavaScript to force select the KMSI checkbox in the login page using page customisation .
您可以隐藏 KMSI 按钮,并使用 JavaScript 强制 select 使用页面自定义登录页面中的 KMSI 复选框。You can rename the KMSI label on the login page to ask the user if they want to enrol in to biometric.
您可以在登录页面上重命名 KMSI label 以询问用户是否要注册生物识别。 Then after the login, your app will receive a claim in the token whether the user opted in, use claim resolver to achieve that.然后在登录后,无论用户是否选择加入,您的应用都会在令牌中收到声明,使用声明解析器来实现。
Now you have a user logged into the App, with:现在您有一个用户登录到应用程序,其中:
- 1 hour access token 1 小时访问令牌
- Potentially up to infinity long refresh token可能长达无限长的刷新令牌
- Multi day/year Azure AD B2C session cookie多天/年 Azure AD B2C session cookie
Then, when the user re-attempts to open the app, or perform some action in the app, you will need to call acquireTokenSilent().然后,当用户重新尝试打开应用程序或在应用程序中执行某些操作时,您将需要调用acquireTokenSilent()。 This MSAL method obtains a fresh access token for the required API resource/scope.此 MSAL 方法获取所需 API 资源/范围的新访问令牌。
If the token is expired, or requires a different scope, the a new token is fetched.如果令牌已过期,或需要不同的 scope,则获取新令牌。
You can wrap any action in your application with the biometric SDK.您可以使用生物识别 SDK 在您的应用程序中封装任何操作。
if (performingSomeAction && requiresBiometric)
if (challengeBiometric succeeds)
acquireTokenSilent()
//do someAction
Now if the refresh token has expired, then the web view will pop up, the long lived session cookie will be used to get new tokens.现在如果刷新令牌已过期,则 web 视图将弹出,长期存在的 session cookie 将用于获取新令牌。 The acquireTokenSilent() method handles all of that already. acquireTokenSilent() 方法已经处理了所有这些。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.