Azure AD B2C-如何实施自定义注册过程? [英] Azure AD B2C - how to implement custom sign up process?
问题描述
这基本上是我上一个问题的跟进- https://stackoverflow.com/a/44738654/2896495.我已经在Web应用程序(.NET Core 2.0)中实现了Azure B2C注册和身份验证,现在我想使用Graph API添加自定义注册逻辑(如此处所述-
This is basically a follow up to my prev question - https://stackoverflow.com/a/44738654/2896495. I've implemented an Azure B2C sign up and auth in my web app (.NET Core 2.0) and now I want to add a custom sign up logic with Graph API (as described here - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet). But I'm confused about app registrations. For B2C auth I created an app in the Portal under Azure AD B2C -> Applications. Now, in order to use custom sign up logic I need another app registration under Portal -> App Registrations -> New Application Registration (where I can grant necessary permissions to Azure AD, like Read and Write directory data).
因此,如果我需要身份验证和自定义提示,应该如何设置我的应用程序?正确的做法是什么?
So, if I need auth AND custom sigh up, how should I set up my app? What's the right way of doing this?
推荐答案
如果您只是想拥有自己的外观,而不是带有徽标和其他商标的默认模板,请考虑提供以下模板:用户界面自定义:
If you are just trying to have your own look and feel, as opposed to the default templates with your logos and other branding, then look into providing a template for UI customizations:
此外,请参见其他类似问题的答案:
Also, see this other answer to a similar question:
如果您尝试使用完全不同的工作流程,则需要创建自定义策略.
If you are trying for a whole different workflow, the you will want to create a custom policy.
https://docs.microsoft.com/zh-CN/azure/active-directory-b2c/active-directory-b2c-overview-custom
或者,如果那行不通,那么我猜您可以使用GraphApi,但这是最费力的选择,并且完全破坏了使用B2C的全部目的.我不推荐这种方法.
Or if that does not work, then I guess you could just use the GraphApi, but that is the most laborious of options and completely destroys the entire purpose of using B2C in the first place. I do not recommend this approach.
更新:
我不会在自定义策略中做您想做的所有事情.将注册分离到自己的应用程序/服务中将是一个很好的方法(如@camsoper所建议),但仅使用创建初始帐户或验证批准用户所需的少量策略.我从未使用过策略来更改"accountActive"属性,但是在使用"NewAccount"属性来注销帐户后,我倾向于使用GraphApi来修改用户配置文件.在azure门户中的用户个人资料上有一个阻止登录"设置,该设置可用于限制访问(创建帐户后,注册应用程序可以设置默认设置),但是我不确定是否与还是"accountActive"属性.
I would not do everything you want to do in a custom policy. Separating the signup into it's own application/service would be a great approach (as @camsoper suggested), but only use the policies for the bare amount needed to create the initial account or authenticate an approved user. I've never used a policy to change the "accountActive" attribute, but I would be inclined to use the GraphApi to modify the user profile after the account is created by using the "NewAccount" attribute to key off. There is a "Block sign in" setting on a users profile in the azure portal which can be used to restrict access (and the signup application could set the default after the account is created), but I'm not sure if that corresponds to the "accountActive" attribute or not (yet).
您描述的大多数管理都可以在azure门户中完成,例如更改用户个人资料上的阻止登录"设置可以用来限制访问权限(并且注册应用程序可以在帐户已创建).如果门户网站没有提供某些功能,那么我会将其放在单独的应用程序中.避免在您自定义的管理应用程序中复制功能,而只是将管理员重定向到"portal.azure.com"中的用户个人资料.
Most of the administration you've described can be done in the azure portal, such as changing the "Block sign in" setting on a users profile can be used to restrict access (and the signup application could set the default after the account is created). If there is some capability that the portal does not offer, I would put that into a separate application. Avoid duplicating functionality in your customized admin app, and instead just redirect the admin to the users profile in "portal.azure.com".
https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/{objectId}
注意:如果管理员可以为其帐户访问多个目录,则该URL模板可能存在一些问题.它将尝试提取默认情况下创建其帐户的目录.
Note: there may be some issues with that URL template if the admin has access to more than one Directory for her account. It will try to pull up the directory that her account was created on by default.
这篇关于Azure AD B2C-如何实施自定义注册过程?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
