在Azure AD中创建用户之前,是否可以使用Azure B2C自定义策略来验证来自社会身份提供商(iDP)的电子邮件声明? [英] Is it possible to validate the Email claim from Social Identity Providers (iDPs) using Azure B2C custom policy before creating a User in Azure AD?
问题描述
情况是这样的:我们已经将Microsoft iDP添加到了我们的应用程序中.用户可以单击"Microsoft帐户"按钮,然后使用其MSA帐户进行注册\登录.
The scenario is this: we have added Microsoft iDP to our app. The user can click the Microsoft Account button and use their MSA account to sign-up\sign-in.
当用户注册后,我们希望针对我们的数据库验证电子邮件.如果用户的电子邮件在我们的数据库中,请让他们继续并注册;否则,我们希望阻止他们注册并显示错误消息.这将阻止在我们的Azure B2C AD中创建用户.
When the user signs up we'd like to validate the e-mail against our database. If the user's email is in our database, let them proceed and signup; otherwise we'd like to prevent them from signing up and display an error message. This would prevent creating a User in our Azure B2C AD.
我使用了以下TechnicalProfile
:
<TechnicalProfile Id="REST-ValidateEmail">
<DisplayName>Validate Membership Email</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/User/ValidateEmail</Item>
<Item Key="AuthenticationType">None</Item>
<Item Key="SendClaimsIn">Body</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="email"
PartnerClaimType="UserEmail" />
</InputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
然后将REST-ValidateEmail
添加到LocalAccountSignUpWithLogonEmail
作为验证技术资料.
Then added REST-ValidateEmail
to LocalAccountSignUpWithLogonEmail
as a validation technical profile.
<ClaimsProvider>
<DisplayName>Local Account</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
<Metadata>
<!--Demo: disable the email validation in development environment-->
<!--Demo action required: remove in production environment-->
<Item Key="EnforceEmailVerification">False</Item>
</Metadata>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_MembershipEmail"
PartnerClaimType="UserEmail" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="REST-ValidateEmail" />
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
将Application Insights调试添加到了自定义策略.我看到UserJourney正在登录Azure门户.但是,无论我做什么,我都看不到我编写的REST API验证方法中的trace
日志,也没有看到对REST-ValidateEmail
的调用.看起来根本没有被调用.
Added Application Insights debugging to the custom policy. I see UserJourney(s) being logged in Azure Portal. However no matter what I do I can't see trace
logs from the REST API validate method I wrote and no calls to REST-ValidateEmail
. Looks like it's not being called at all.