时间戳

首页 > 解决方案 > B2C 自定义策略跳过通过 authenticationSource 注册 AAD 以 AADB2C90037 结束

oauth-2.0 - B2C 自定义策略跳过通过 authenticationSource 注册 AAD 以 AADB2C90037 结束

问题描述

我已使用自定义策略将 Azure AD 多租户与 B2C 集成,并且我不想在 Azure AD 用户第一次尝试登录时为他提供注册页面。由于使用Preconditions即时通讯试图跳过 AD 登录用户的注册页面。但是它给了我以下错误AADB2C90037: An error occurred while processing the request. Please contact administrator of the site you are trying to access. 但是如果从第 4 步中删除了第二个先决条件,它不会给我错误,并且会带来不是我要求的注册页面。我的索赔提供者和用户旅程中的先决条件已在下面提到。

signin_signup 策略文件

 <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignInAD" />

    <UserJourneyBehaviors>
      <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="xxxxxxxxx" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
     <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
        <OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="emails" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
        <!-- <OutputClaim ClaimTypeReferenceId="identityProvider" /> -->
        <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
        <OutputClaim ClaimTypeReferenceId="TnCs" />
        <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="SignInemails" />
        <OutputClaim ClaimTypeReferenceId="signInName" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
        <OutputClaim ClaimTypeReferenceId="upnUserName" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>

AD 索赔提供者

  <ClaimsProvider>
  <Domain>commonaad</Domain>
  <DisplayName>Common AAD</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="Common-AAD">
      <DisplayName>Multi-Tenant AAD</DisplayName>
      <Description>Login with your Contoso account</Description>
      <Protocol Name="OAuth2"/>
      <Metadata>
    <Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/organizations/oauth2/v2.0/token</Item>
    <Item Key="authorization_endpoint">https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize</Item>
    <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
    <Item Key="ClaimsEndpoint">https://graph.microsoft.com/v1.0/me</Item>
    <Item Key="client_id">xxxxxxxxxxxxxxxxxxxxxxxxxxx</Item>
    <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="IdTokenAudience">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</Item>
    <Item Key="response_types">code</Item>
    <Item Key="scope">https://graph.microsoft.com/user.read</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
      </Metadata>

      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_AADAppSecret"/>
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="ExternalAD" AlwaysUseDefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="idp" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="mail" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id"/>
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="userPrincipalName" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
        <OutputClaimsTransformation ReferenceId="CreateAzureADIdentityProvider" />
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

用于跳过注册的 Orchestrator 步骤 

<OrchestrationStep Order="4" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
           <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
             <Value>authenticationSource</Value>
              <Value>ExternalAD</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
          </ClaimsExchanges>
        </OrchestrationStep>

标签: oauth-2.0azure-ad-b2c

解决方案

你的方法是正确的,因为你跳过了实现这一点的步骤。但是,我认为 Azure AD 不会发出名为“objectId”的声明,因此它为空。因此,当 B2C 尝试发行令牌时,它不能。检查您的应用洞察日志以查看返回的 AAD 令牌并将声明正确映射到 B2C 的 claimId。

请在此处查看 AAD 令牌参考:https ://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens

在您的Common-AAD技术资料中,应该是这样的:

<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid"/>

推荐阅读