时间戳

首页 > 解决方案 > 发生 api 错误时 Azure AD 自定义策略不会停止

azure - 发生 api 错误时 Azure AD 自定义策略不会停止

问题描述

我创建了一个自定义策略来登录。它使用 api 来获取用户对他们正在登录的特定组的权限列表。如果他们不属于该组,则 api 返回 409 错误(根据此处的文档)。

这是我的 api 技术简介:

<TechnicalProfile Id="GetUserPermissions">
                <DisplayName>Retrieves permissions assigned to the user</DisplayName>
                <Protocol Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" Name="Proprietary"/>
                <Metadata>
                    <Item Key="ServiceUrl">{APIURL}</Item>
                    <Item Key="SendClaimsIn">QueryString</Item>
                    <Item Key="AuthenticationType">Bearer</Item>
                    <Item Key="UseClaimAsBearerToken">bearerToken</Item>
                    <Item Key="AllowInsecureAuthInProduction">true</Item>
                    <Item Key="DefaultUserMessageIfRequestFailed">Test Message</Item>
                </Metadata>
                <InputClaims> 
                    <!-- Claims sent to your REST API -->
                    <InputClaim Required="true" ClaimTypeReferenceId="objectId"/>
                    <InputClaim ClaimTypeReferenceId="bearerToken"/>
                    <InputClaim ClaimTypeReferenceId="groupId" DefaultValue="ID" AlwaysUseDefaultValue="true"/>
                </InputClaims>
                <OutputClaims>
                    <OutputClaim ClaimTypeReferenceId="permissions" PartnerClaimType="permissions"/>
                </OutputClaims>
                <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
            </TechnicalProfile>

这似乎按预期工作,我们得到属于该组的任何用户的权限列表,如果用户没有,则会出错。但是,我们在登录页面上没有收到错误消息。尽管出现错误,用户旅程仍会尝试继续。正如我们在这里看到的,如果我们将回复 url 设置为 jwt.ms,我们会得到 api 错误: jwt.ms 显示 api 错误

这是我的用户旅程:

<UserJourney Id="SignUpOrSignIn">
        <OrchestrationSteps>
            <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
                <ClaimsProviderSelections>
                    <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/>
                </ClaimsProviderSelections>
                <ClaimsExchanges>
                    <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/>
                </ClaimsExchanges>
            </OrchestrationStep>
            <OrchestrationStep Order="2" Type="ClaimsExchange">
                <Preconditions>
                    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
                        <Value>objectId</Value>
                        <Action>SkipThisOrchestrationStep</Action>
                    </Precondition>
                    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
                        <!-- Skip this step if change password is required. -->
                        <Value>forceChangePasswordNextLogin</Value>
                        <Action>SkipThisOrchestrationStep</Action>
                    </Precondition>
                </Preconditions>
                <ClaimsExchanges>
                    <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/>
                </ClaimsExchanges>
            </OrchestrationStep>
            <OrchestrationStep Order="3" Type="ClaimsExchange">
                <Preconditions>
                    <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
                        <Value>forceChangePasswordNextLogin</Value>
                        <Action>SkipThisOrchestrationStep</Action>
                    </Precondition>
                </Preconditions>
                <ClaimsExchanges>
                    <!--Force password resetUpon password expiration-->
                    <ClaimsExchange Id="ForcePasswordResetUponPasswordExpiration" TechnicalProfileReferenceId="SelfAsserted-ForcePasswordReset-ExpiredPassword"/>
                </ClaimsExchanges>
            </OrchestrationStep>
            <!-- This step reads any user attributes that we may not have received when in the token. -->
            <OrchestrationStep Order="4" Type="ClaimsExchange">
                <ClaimsExchanges>
                    <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/>
                </ClaimsExchanges>
            </OrchestrationStep>
            <OrchestrationStep Type="ClaimsExchange" Order="5">
                <ClaimsExchanges>
                    <ClaimsExchange Id="SecureREST-AccessToken" TechnicalProfileReferenceId="SecureREST-AccessToken"/>
                </ClaimsExchanges>
            </OrchestrationStep>
            <OrchestrationStep Order="6" Type="ClaimsExchange">
                <ClaimsExchanges>
                    <ClaimsExchange Id="GetUserPermissions" TechnicalProfileReferenceId="GetUserPermissions"/>
                </ClaimsExchanges>
            </OrchestrationStep>
            <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/>
        </OrchestrationSteps>
        <ClientDefinition ReferenceId="DefaultWeb"/>
    </UserJourney>

如何在登录页面上显示此错误消息,而不是重定向

标签: azureazure-active-directoryazure-ad-b2c-custom-policyazure-rest-api

解决方案

推荐阅读