在 AzureAD B2C 中使用“forceChangePasswordNextLogin"创建的本地帐户更改初始密码后无法再登录 [英] Local account created in AzureAD B2C with "forceChangePasswordNextLogin" cannot login anymore after initial password change
问题描述
我有一个通过 AzureAD Graph API 在 AzureAD B2C 租户中创建本地帐户的 WebAPI.创建用户后,他们会收到一封包含临时密码的邀请电子邮件.使用密码配置文件在 Graph API 中创建用户,以强制他们在首次登录时更改临时密码.
I have a WebAPI creating local account in an AzureAD B2C tenant through the AzureAD Graph API. When users are created, they receive an invitation email with a temporary password. User is created in the Graph API with a password profile to force them to change their temporary password on first login.
user.PasswordProfile = new PasswordProfile();
user.PasswordProfile.Password = GetTemporaryPassword();
user.PasswordProfile.ForceChangePasswordNextLogin = true;
当用户第一次登录时(通过 B2C 登录策略),系统会有效地提示更改其密码,并且到目前为止一切正常.
When the user login for the first time (through a B2C SignIn policy), it is effectively prompted to change its password and everything is working fine up to that point.
用户登录后,如果他退出后立即尝试登录,身份验证总是失败并显示错误消息 我们无法识别此用户 ID 或密码.请再试一次.忘记密码?.
如果他使用之前的临时密码,则看起来身份验证成功,但会要求他再次更改密码.在该视图中,Current password 与原始临时密码不匹配,而是与最新密码匹配.
Once the user is logged in, if he signs out then tries to sign in right after, authentification always fails with error message We don't recognize this user ID or password. Please try again. Forgot your password?.
If he uses its previous temporary password then it looks like authentication succeed, but he is asked to change its password again. In that view, Current password does not match the original temporary password but the latest password instead.
我从 Graph API 确认比第一次登录之前,PasswordProfile 仍然附加到用户.
I confirmed from the Graph API than prior the first login, the PasswordProfile is still attached to the user.
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "00000000-0000-0000-0000-000000000000",
...
"passwordProfile": {
"password": null,
"forceChangePasswordNextLogin": true,
"enforceChangePasswordPolicy": false
},
...
}
那么在初始密码修改后,强制重置密码的PasswordProfile就没有了.
Then after the initial password change, the PasswordProfile to force password reset is no longer here.
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "00000000-0000-0000-0000-000000000000",
....
"passwordPolicies": null,
"passwordProfile": null,
....
}
此时,用户能够登录的唯一解决方案是等待一段时间(5-10 分钟),然后才能使用最新密码登录.
At that point, the only solution for the user to be able to sign in is to wait for some time (5-10 minutes) prior to be able to login with its latest password.
您知道造成这种延迟的原因是什么吗?
更重要的是,如何避免这种延迟以及与之相关的糟糕的用户体验?
Any idea about what can be the cause of this delay?
More importantly, How to avoid this delay and the poor user experience associated to it?
推荐答案
写在文档并明确解释:
"passwordProfile": {
"password": "P@ssword!",
"forceChangePasswordNextLogin": false // always set to false
},
"passwordPolicies": "DisablePasswordExpiration"
因此,如文档中所述,始终将 forceChangePasswordNextLogin 设置为 false!此外,当使用 B2C always 时,请将 passwordPolicies 设置为 DisablePasswordExpiration.
So, as described in the docs, always set the forceChangePasswordNextLogin to false! Also, when using B2C always set the passwordPolicies to DisablePasswordExpiration.
在您提供的代码示例中,您犯了 2(两)个错误:
In your provided code sample you make 2 (two) wrong things:
你在下次登录时强制更改密码
You force password change the next login via
user.PasswordProfile.ForceChangePasswordNextLogin = true;
您没有明确禁用密码过期.
You do not explicitly disable password expiration.
在使用 Azure AD B2C 时,在采取行动之前先阅读文档非常重要.它与普通的 Azure AD 不同.一切都在文档中进行了解释.如果您发现一些缺失或错误的信息,请使用每个文档页面底部的反馈表.
When using Azure AD B2C it is very important to read the docs first, before taking actions. It is different then a normal Azure AD. And everything is explained in the docs. If you see some missing or wrongful information, please use the feedback form at the bottom of each documentation page.
在下次登录时强制重置/更改密码的功能请求已经 在这里登录.您可以投票以使其在优先级列表中更高.
A feature request to enforce password reset/change upon next login is already logged here. You can give your vote to make it higher in priority list.
作为最后的手段,如果您真的想实现这一点,可能可以使用 自定义策略(REST API 实现逻辑来检查用户是否应该更改他的密码).
As last resort, if you really want to implement this, it might be possible using custom policies (REST API to implement logic to check if the user should change his password).
这篇关于在 AzureAD B2C 中使用“forceChangePasswordNextLogin"创建的本地帐户更改初始密码后无法再登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
