oauth-2.0 - B2C 自定义策略跳过通过 authenticationSource 注册 AAD 以 AADB2C90037 结束
问题描述
我已使用自定义策略将 Azure AD 多租户与 B2C 集成,并且我不想在 Azure AD 用户第一次尝试登录时为他提供注册页面。由于使用Preconditions
即时通讯试图跳过 AD 登录用户的注册页面。但是它给了我以下错误AADB2C90037: An error occurred while processing the request. Please contact administrator of the site you are trying to access.
但是如果从第 4 步中删除了第二个先决条件,它不会给我错误,并且会带来不是我要求的注册页面。我的索赔提供者和用户旅程中的先决条件已在下面提到。
signin_signup 策略文件
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignInAD" />
<UserJourneyBehaviors>
<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="xxxxxxxxx" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
<OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="emails" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<!-- <OutputClaim ClaimTypeReferenceId="identityProvider" /> -->
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
<OutputClaim ClaimTypeReferenceId="TnCs" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="SignInemails" />
<OutputClaim ClaimTypeReferenceId="signInName" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="upnUserName" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
AD 索赔提供者
<ClaimsProvider>
<Domain>commonaad</Domain>
<DisplayName>Common AAD</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Common-AAD">
<DisplayName>Multi-Tenant AAD</DisplayName>
<Description>Login with your Contoso account</Description>
<Protocol Name="OAuth2"/>
<Metadata>
<Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/organizations/oauth2/v2.0/token</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="ClaimsEndpoint">https://graph.microsoft.com/v1.0/me</Item>
<Item Key="client_id">xxxxxxxxxxxxxxxxxxxxxxxxxxx</Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="IdTokenAudience">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">https://graph.microsoft.com/user.read</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AADAppSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="ExternalAD" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="idp" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="mail" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id"/>
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="userPrincipalName" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAzureADIdentityProvider" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
用于跳过注册的 Orchestrator 步骤
<OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationSource</Value>
<Value>ExternalAD</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
</ClaimsExchanges>
</OrchestrationStep>
解决方案
你的方法是正确的,因为你跳过了实现这一点的步骤。但是,我认为 Azure AD 不会发出名为“objectId”的声明,因此它为空。因此,当 B2C 尝试发行令牌时,它不能。检查您的应用洞察日志以查看返回的 AAD 令牌并将声明正确映射到 B2C 的 claimId。
请在此处查看 AAD 令牌参考:https ://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens
在您的Common-AAD
技术资料中,应该是这样的:
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid"/>
推荐阅读
- google-apps-script - Google-Apps-Script 将 XML 转换为 JSON
- azure - 在 Azure 中连接 VPN 时遇到问题
- r - 在 R 中绘制一个简单的直方图
- python - 如何合并多个数据框并按时间戳对它们进行排序 - Pandas Python
- python - 从 weatherbug 查询中检索值的表
- salesforce - Salesforce - 从自定义对象中的标准对象引用自定义字段
- java - 用于过滤和查找列表中第一个元素的 Java 泛型方法
- amazon-web-services - 将 AWS IoT 与本地 Mosquitto MQTT 桥接时出现“证书验证失败”
- api - 向 Swashbuckle 路径中的查询字符串添加参数
- java - 如何在没有用户输入的情况下自动返回主菜单?