[英]How to Implement Azure AD B2C Identity Experience Framework Sign-In with Optional Email OTP
我有一个业务需求,但我没有弄清楚如何实现它。
我的问题是 Orchestration 步骤 1 收集了 email 地址,然后我通过提供的 email 地址查询 AAD 并读取名为extension_EmailValidated的扩展属性。 如果该属性不是 TRUE,B2C 将强制用户执行 email OTP 验证,但是,Orchestration 步骤 2 不会让我预填充先前输入的 email 地址输入框并显示 OTP 按钮。 它只会让我做一个或另一个(希望有意义)。
我的 UserJourney 看起来像这样
<UserJourneys>
<UserJourney Id="B2CSignIn">
<OrchestrationSteps>
<!--User enters their email address-->
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADEmailDiscovery" TechnicalProfileReferenceId="AAD-EmailDiscovery" />
</ClaimsExchanges>
</OrchestrationStep>
<!--User enters their OTP-->
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>extension_EmailVerified</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADEmailVerification" TechnicalProfileReferenceId="AAD-EmailVerification" />
</ClaimsExchanges>
</OrchestrationStep>
<!--Set extension_EmailVerified to TRUE-->
<OrchestrationStep Order="3" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>extension_EmailVerified</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWriteEmailVerifiedUsingEmail" TechnicalProfileReferenceId="AAD-UserWriteEmailVerifiedUsingEmail" />
</ClaimsExchanges>
</OrchestrationStep>
以下是第 1 步和第 2 步的技术资料。
<TechnicalProfile Id="AAD-EmailDiscovery">
<DisplayName>Initiate Email Address Verification For Local Account</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
<Item Key="language.button_continue">Continue</Item>
<Item Key="setting.showCancelButton">False</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="extension_EmailVerified" DefaultValue="false" Required="true" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
<TechnicalProfile Id="AAD-EmailVerification">
<DisplayName>Initiate Email Address Verification For Local Account</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
<Item Key="language.button_continue">Continue</Item>
<Item Key="setting.showCancelButton">False</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
另一个非常令人困惑的问题是,我可以让 OTP 按钮出现在第 2 步的唯一方法是为 InputClaim 和 OutputClaims 添加“ParterClaimType=Verified.Email”——这是没有意义的。
如果我从 InputClaims 和 OutputClaims 中省略“ParterClaimType=Verified.Email”,我可以获得 email 地址以从步骤 1 中预填充。
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
</OutputClaims>
非常感谢您的建议和指导。
谢谢!
这里的解决方案是将输入文本框设置为readOnly 。
通过声明转换发送在登录屏幕上收集的 email 以将其复制到一个名为readOnlyEmail的新声明。 该声明应定义为只读。
<ClaimType Id="readOnlyEmail">
<DisplayName>Email Address</DisplayName>
<DataType>string</DataType>
<UserHelpText/>
<UserInputType>Readonly</UserInputType>
</ClaimType>
将 email 声明复制到只读声明中
<ClaimsTransformation Id="CopySignInNameToReadOnly" TransformationMethod="FormatStringClaim">
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" TransformationClaimType="inputClaim" />
</InputClaims>
<InputParameters>
<InputParameter Id="stringFormat" DataType="string" Value="{0}" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="readOnlyEmail" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
然后使用 OutputClaimsTransformations 节点从您注册的技术配置文件调用声明转换。
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CopySignInNameToReadOnly" />
</OutputClaimsTransformations>
最后在email验证技术配置文件(selfAsserted technical profile)上,传入readOnly email进行验证:
<InputClaims>
<InputClaim ClaimTypeReferenceId="readOnlyEmail"/>
</InputClaims>
<OutputClaims>
<!-- Required claims -->
<OutputClaim ClaimTypeReferenceId="readOnlyEmail" PartnerClaimType="Verified.Email"/>
</OutputClaims>
这个概念在这里演示: https://github.com/azure-ad-b2c/samples/tree/master/policies/signin-email-verification
您只需要在该示例之上添加您的条件逻辑。
如何使用用户名 AND email 注册并使用用户名 OR email 使用 Azure AD B2C 本地帐户登录?
[英]How to Sign up using Username AND email and sign in with username OR email using Azure AD B2C local account?
Azure AD B2C 和 Microsoft Identity Web - 使用多个策略登录 (.net Core 3.1)
[英]Azure AD B2C & Microsoft Identity Web - Sign In with multiple policies (.net Core 3.1)
Azure Ad b2c:成功登录azure ad b2c后在Claims中获得email
[英]Azure Ad b2c: Get email in Claims after successfully Signin in azure ad b2c
如何以编程方式使用未经验证的域 email 登录 Azure AD B2C?
[英]How to programmatically log in to Azure AD B2C with non-verified domain email?
如何使用 Azure AD B2C 设置重定向 url 登录并注册 android 移动应用程序中的用户流程
[英]How to Set Redirect url using Azure AD B2C Sign in and Sign up userflows in android mobile application
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.