有没有办法在发送令牌之前验证ROPC Flow中的自定义属性? [英] Is there a way to validate custom attribute in ROPC Flow before sending tokens?

问题描述

所有用户都具有用户属性"extension_isApproved".仅当将其设置为True时，他们才能登录或接收令牌.但是，我不知道如何在ROPC Flow中执行此操作.我想要的行为是如果要求令牌的用户未获批准，则会发回错误消息.

All users have a user attribute "extension_isApproved". They can only log in or receive token when it is set to True. However, I can't figure out how to do this in a ROPC Flow. The behavior I want is to send back an error message if the user asking the tokens is not approved.

我从在有我的代码(我已经尝试了一些限制用户的方法，但是不起作用):

There is my code (I've already tried some things to restrict the user but it doesn't work):

<TechnicalProfile Id="ResourceOwnerPasswordCredentials-OAUTH2">
      <DisplayName>Local Account SignIn</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <Metadata>
        <Item Key="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">You are not approved. Contact your administrator for approval.</Item>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item>
        <Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item>
        <Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item>
        <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
        <Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
        <Item Key="METADATA">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>
        <Item Key="authorization_endpoint">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>
        <Item Key="response_types">id_token</Item>
        <Item Key="response_mode">query</Item>
        <Item Key="scope">email openid</Item>
      </Metadata>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="logonIdentifier" PartnerClaimType="username" Required="true" DefaultValue="{OIDC:Username}"/>
        <InputClaim ClaimTypeReferenceId="password" Required="true" DefaultValue="{OIDC:Password}" />
        <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
        <InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
        <InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />

        <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="{Settings:ProxyIdentityExperienceFrameworkAppId}" />
        <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="{Settings:IdentityExperienceFrameworkAppId}" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromObjectID" />
      </OutputClaimsTransformations>
      <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId" />
        <ValidationTechnicalProfile ReferenceId="ClaimsTransformation-AssertIsApproved" />
      </ValidationTechnicalProfiles>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
    </TechnicalProfile>

---

<ClaimsProvider>
  <DisplayName>Session Management</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="SM-RefreshTokenReadAndSetup">
      <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>
      <Protocol Name="None" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="refreshTokenIssuedOnDateTime" />
      </OutputClaims>
      <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId" />
        <ValidationTechnicalProfile ReferenceId="ClaimsTransformation-AssertIsApproved" />
      </ValidationTechnicalProfiles>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

---

<ClaimsTransformation Id="AssertIsApproved" TransformationMethod="AssertBooleanClaimIsEqualToValue">
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="extension_isApproved" TransformationClaimType="inputClaim" />
    </InputClaims>
    <InputParameters>
      <InputParameter Id="valueToCompareTo" DataType="boolean" Value="true" />
    </InputParameters>
  </ClaimsTransformation>

其余代码与接触ROPC Flow的基本模板相同.

The rest of the code is the same as the base template for what touches the ROPC Flow.

推荐答案

最后，我们要做的是在技术资料ROPC_Auth.xml中添加<OutputClaim ClaimTypeReferenceId="extension_isApproved" /> .

Finally, what we did is to add <OutputClaim ClaimTypeReferenceId="extension_isApproved" /> in the technical profile ROPC_Auth.xml.

这样做，您在调用ROPC流程时将直接在响应的id_token中接收自定义属性.

By doing that, you will receive the custom attribute directly in the id_token of the response when you call your ROPC flow.

我们联系了Microsoft支持部门，他们告诉我们，我们最初想要做的方式(阻止用户并返回错误)对他们来说太高级了，他们甚至不知道该怎么做.可能.

We contacted Microsoft Support and they told us that the way we wanted to do it at first (by blocking the user and returning an error) was too advanced for them and they don't know how to do it or even if it is possible.

这篇关于有没有办法在发送令牌之前验证ROPC Flow中的自定义属性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！