如何从B2C用户记录中读取移动值并将其转换为strongAuthenticationPhoneNumber? [英] How can I read the mobile value from a B2C user record and transform it to a strongAuthenticationPhoneNumber?
问题描述
我需要以编程方式创建Azure B2C用户帐户.在一个单独的用户数据存储区中,我保存了有关我需要在B2C中设置的用户的相关信息,包括他们的手机号码,我们已经在与他们进行通信了.
I have the need to create Azure B2C user accounts programmatically. In a separate user data store I hold pertinent information about the users I need to set up in B2C including their mobile phone number, which we've already been communicating with them on.
我的业务要求是在用户首次登录/重置密码期间,将此手机号码用作辅助因素.我有一个初始登录体验,该体验使用外部创建的JWT令牌将用户带到自定义用户之旅,在该用户之旅中,他们可以首次设置密码.
My business requirement is that this mobile phone number is used as a secondary factor during the user's first-time login/password reset experience. I have an initial login experience which uses an externally-created JWT token to take the user to a custom User Journey where they can set a password for the first time.
我知道尚无法通过Graph API或PowerShell设置Azure MFA手机号码. (这仍然是真的吗?).因此,B2C要求用户在示例性的PhoneFactor-InputOrVerify技术资料中输入他们的手机号码.这是一个安全漏洞,因为您只需在其中输入任何手机号码并验证该号码即可.
I understand that it is not yet possible to set the Azure MFA mobile number via Graph API or PowerShell. (Is this still true?). Therefore B2C asks the user to enter their mobile number in the exemplar PhoneFactor-InputOrVerify Technical Profile. This is a security hole as you can just enter any mobile number in there and verify that number.
我可以轻松地以编程方式将用户的号码添加到其他字段中,例如用户记录上的移动字段.
I can easily programmatically add the user's number to some other field - e.g. the mobile field on the user record.
问题1. 有没有办法读取用户帐户的移动值并将其显示为技术资料",就好像它是strongAuthenticationPhoneNumber值还是Verified.strongAuthenticationPhoneNumber一样?
Question 1. Is there a way to read the user account mobile value and present it to a Technical Profile as if it is the strongAuthenticationPhoneNumber value or Verified.strongAuthenticationPhoneNumber?
问题2. 这是个好主意吗?我想我们有充分的理由不这样做,但是我无法理解它们可能是什么.
Question 2. Is this even a good idea? I imagine there are good reasons not to do this, but I can't fathom what they might be.
我尝试创建新的ClaimTypes,读取移动"字段值,创建ClaimsTranfromations来尝试使移动声明看起来像是StrongAuthenticationPhoneNumber声明,并且通常尝试欺骗" B2C认为这是实际数字保存在MFA数据存储区中.
I've tried creating new ClaimTypes, reading the 'mobile' field value, creating ClaimsTranfromations to try to make the mobile claim appear to be the strongAuthenticationPhoneNumber claim, and trying generally to 'spoof' B2C into thinking this is the actual number as stored in the MFA data store.
这是入门包中的标准PhoneFactor-InputOrVerify技术资料:
This is the the standard PhoneFactor-InputOrVerify Technical Profile from the starterpack:
<ClaimsProvider>
<DisplayName>PhoneFactor</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="PhoneFactor-InputOrVerify">
<DisplayName>PhoneFactor</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.phonefactor</Item>
<Item Key="ManualPhoneNumberEntryAllowed">true</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="CreateUserIdForMFA" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="userIdForMFA" PartnerClaimType="UserId" />
<InputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="Verified.OfficePhone" />
<OutputClaim ClaimTypeReferenceId="newPhoneNumberEntered" PartnerClaimType="newPhoneNumberEntered" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-MFA" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
我可以提供前面提到的自定义用户旅程的更多代码示例,但是我认为这不会对解决此问题有所帮助.
I can provide more code samples of the custom User Journey I mentioned earlier but I don't think this will help with this problem.
推荐答案
您有一些选择:
- 您可以将 strongAuthenticationPhoneNumber 声明添加到用于入职流程的同一JWT中,并在此入职流程中提示您验证此电话号码.
- 您可以通过以下网址的 mobile 属性(或扩展属性)将 PhoneFactor-InputOrVerify 技术资料映射到 strongAuthenticationPhoneNumber 声明. 用户对象.
- You can add the strongAuthenticationPhoneNumber claim to the same JWT that is used for the onboarding flow and prompt for verification of this phone number during this onboarding flow.
- You can map to the strongAuthenticationPhoneNumber claim for the PhoneFactor-InputOrVerify technical profile from the mobile property (or an extension property) of the user object.
For option 1, the onboarding user journey should write the verified phone number to the user object, without the newPhoneNumberEntered-based precondition:
<OrchestrationStep Order="8" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
对于选项2,您可以通过 mobile 属性将其映射到 strongAuthenticationPhoneNumber 声明,如下所示:
For option 2, you can map to the strongAuthenticationPhoneNumber claim from the mobile property, as follows:
<InputClaims>
<InputClaim ClaimTypeReferenceId="userIdForMFA" PartnerClaimType="UserId" />
<InputClaim ClaimTypeReferenceId="mobile" PartnerClaimType="strongAuthenticationPhoneNumber" />
</InputClaims>
这篇关于如何从B2C用户记录中读取移动值并将其转换为strongAuthenticationPhoneNumber?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
