azure - 使用 azure b2c、MFA 和 REST API 时如何重置 MFA 并获取新的 QR
问题描述
我已经按照https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp在 azure B2C 中构建 MFA 并且运行良好。只是一个问题,用户扫描二维码并注册手机后,如果他们想使用另一部手机或重置他们的 MFA,他们如何才能重新获得二维码?
解决方案
我创建了一个允许重新创建 QR 码的策略。
先决条件:您已经能够在您的租户中运行此示例。
将此添加到TrustFrameworkExtension.xml:
<UserJourney Id="EditQR" DefaultCpimIssuerTechnicalProfileReferenceId="JwtIssuer">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninEmailExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Demo: The following orchestration step is alwasy executed.
It generates a verification app secret key for the user (none interactive step). -->
<OrchestrationStep Order="4" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AppFactorGenerateTotpWebHook" TechnicalProfileReferenceId="AppFactor-GenerateTotpWebHook" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Demo: The following orchestration step is alwasy executed.
It registers a verification app through QR code that mobile authentication app should scan. -->
<OrchestrationStep Order="5" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AppFactorRegisterExchange" TechnicalProfileReferenceId="AppFactor-Register" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Demo: The following orchestration step is always executed.
It updates the verification app time step matched for a given user in the Azure Active Directory.
An error is raised if the user does not exist. -->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADWriteUserAppCodeByObjectId" TechnicalProfileReferenceId="AAD-WriteUserAppCodeByObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
这是新的用户流程,我称之为EditQR.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
PolicySchemaVersion="0.3.0.0"
TenantId="yourtenant.onmicrosoft.com"
PolicyId="B2C_1A_editQr"
PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_editQr">
<BasePolicy>
<TenantId>yourtenant.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<RelyingParty>
<DefaultUserJourney ReferenceId="EditQR" />
<UserJourneyBehaviors>
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
</TrustFrameworkPolicy>
使用 测试它http://jwt.ms,您将被提示登录,然后重定向到 QR 页面。
干杯!
推荐阅读
- excel - 读取 .xlsx 文件并将其存储到列表中
- python - 使用 Python Jenkins API 重试失败的作业
- r - 在不同的图中分配 geom_bar 中的颜色
- vue.js - 如何以编程方式更改 Vuetify 选项卡和 vue-router
- javascript - 使用自定义属性 mapbox 为每个集群标记显示一个弹出窗口
- c - avx512 的编译错误,是 GCC 问题吗?
- excel - 我正在做一个项目来在预先存在的 web 表中填充数据
- python - Pyspark:在特定时间范围内将值连接到列表中
- javascript - Vue、Vuex、JavaScript:includes() 无法按预期工作
- applescript - 从 Applescript 设置弹出按钮值