azure - 发生 api 错误时 Azure AD 自定义策略不会停止
问题描述
我创建了一个自定义策略来登录。它使用 api 来获取用户对他们正在登录的特定组的权限列表。如果他们不属于该组,则 api 返回 409 错误(根据此处的文档)。
这是我的 api 技术简介:
<TechnicalProfile Id="GetUserPermissions">
<DisplayName>Retrieves permissions assigned to the user</DisplayName>
<Protocol Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" Name="Proprietary"/>
<Metadata>
<Item Key="ServiceUrl">{APIURL}</Item>
<Item Key="SendClaimsIn">QueryString</Item>
<Item Key="AuthenticationType">Bearer</Item>
<Item Key="UseClaimAsBearerToken">bearerToken</Item>
<Item Key="AllowInsecureAuthInProduction">true</Item>
<Item Key="DefaultUserMessageIfRequestFailed">Test Message</Item>
</Metadata>
<InputClaims>
<!-- Claims sent to your REST API -->
<InputClaim Required="true" ClaimTypeReferenceId="objectId"/>
<InputClaim ClaimTypeReferenceId="bearerToken"/>
<InputClaim ClaimTypeReferenceId="groupId" DefaultValue="ID" AlwaysUseDefaultValue="true"/>
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="permissions" PartnerClaimType="permissions"/>
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
这似乎按预期工作,我们得到属于该组的任何用户的权限列表,如果用户没有,则会出错。但是,我们在登录页面上没有收到错误消息。尽管出现错误,用户旅程仍会尝试继续。正如我们在这里看到的,如果我们将回复 url 设置为 jwt.ms,我们会得到 api 错误: jwt.ms 显示 api 错误
这是我的用户旅程:
<UserJourney Id="SignUpOrSignIn">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/>
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/>
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<!-- Skip this step if change password is required. -->
<Value>forceChangePasswordNextLogin</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/>
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>forceChangePasswordNextLogin</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<!--Force password resetUpon password expiration-->
<ClaimsExchange Id="ForcePasswordResetUponPasswordExpiration" TechnicalProfileReferenceId="SelfAsserted-ForcePasswordReset-ExpiredPassword"/>
</ClaimsExchanges>
</OrchestrationStep>
<!-- This step reads any user attributes that we may not have received when in the token. -->
<OrchestrationStep Order="4" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/>
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Type="ClaimsExchange" Order="5">
<ClaimsExchanges>
<ClaimsExchange Id="SecureREST-AccessToken" TechnicalProfileReferenceId="SecureREST-AccessToken"/>
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="6" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="GetUserPermissions" TechnicalProfileReferenceId="GetUserPermissions"/>
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/>
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb"/>
</UserJourney>
如何在登录页面上显示此错误消息,而不是重定向
解决方案
推荐阅读
- javascript - 未捕获的类型错误:无法解构“未定义”或“空”的属性“名称”
- javascript - Material-UI TextField 类型日期不适用于 IE
- android - 使用 UsbManager 在 Android 中取消打印作业
- java - 设置数据到微调器,并在微调器中发送选定数据的密钥
- java - 将 ContainerResponseFilter 添加到码头服务器
- java - 获取在 int 数组 Java 中具有重复项的元素
- mysql - mysql:创建触发器时无法识别新关键字
- javascript - 如何使用 python 编码读取特定网站的控制台日志(例如,ok、connected.. 等消息)?
- angular - 在控制台中获取“timestampsInSnapshots 设置现在默认为 true”的 firestore 错误
- r - 在 R 中两次安装一些库