如何使用Azure B2C自定义策略在外部IDP登录期间传递和验证signInEmail声明? [英] How to pass and validate the signInEmail claim during External IDP login using Azure B2C custom policy?
问题描述
这个问题与这个问题有关.
我们要做的是:在用户单击登录"页面中的Facebook
或Microsoft account
或Corporate AD
之类的按钮时,请调用验证技术资料来验证email
地址用户正在使用的登录方式.
What we'd like to do is: at the moment the user clicks the button like Facebook
OR Microsoft account
OR Corporate AD
in the Sign in page, call a validation technical profile to validate the email
address the user is using to sign in.
我尝试添加这样的OrchestrationStep
:
<OrchestrationStep Order="4"
Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals"
ExecuteActionsIf="false">
<Value>idp</Value>
<Value>CorporateAD</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="FetchMoreClaimsExchange"
TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
</ClaimsExchanges>
</OrchestrationStep>
这实际上是在调用REST-ValidateSignInEmail
,因为我看到这样的URL返回错误:
This is actually calling REST-ValidateSignInEmail
because I see an error returned in the URL like this:
消息
is+disabled
来自我放在一起的REST API,但这显然告诉我,电子邮件\ signInEmail声称它期望参数未发送\传递.The message
is+disabled
is coming from the REST API I put together but this obviously tells me that the email\signInEmail claim it expects as a parameter is not being sent\passed.这是技术资料:
<TechnicalProfile Id="REST-ValidateSignInEmail"> <DisplayName>Validate Email</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <Metadata> <Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item> <Item Key="AuthenticationType">None</Item> <Item Key="SendClaimsIn">Body</Item> </Metadata> <InputClaims> <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="UserEmail" /> </InputClaims> <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /> </TechnicalProfile>
您能否阐明如何实现这一目标?
Can you shed some light on how to approach this?
推荐答案
通常,在我发布问题后,我都会一直在弄弄代码.
Generally after I post the question I keep fiddling with the code.
让它像这样工作:
<TechnicalProfile Id="REST-ValidateSignInEmail"> <DisplayName>Validate Email</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <Metadata> <Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item> <Item Key="AuthenticationType">None</Item> <Item Key="SendClaimsIn">Body</Item> </Metadata> <InputClaims> <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="UserEmail" /> </InputClaims> <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="UserEmail" /> </InputClaims> <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /> </TechnicalProfile>
请注意,我在
ClaimTypeReferenceId="email"
中添加了新的InputClaim
.Note that I added a new
InputClaim
withClaimTypeReferenceId="email"
.此示例政策告诉我可以在
JwtIssuer
之前添加OrchestrationStep
.我们也可以在没有任何此类先决条件的情况下拥有它:This sample policy showed me that I could add the
OrchestrationStep
right before theJwtIssuer
one. We can also have it without any preconditions like this:
<OrchestrationStep Order="7" Type="ClaimsExchange"> <ClaimsExchanges> <ClaimsExchange Id="REST-ValidateSignInEmail" TechnicalProfileReferenceId="REST-ValidateSignInEmail" /> </ClaimsExchanges> </OrchestrationStep>
这样做会被所有IDP调用.
Doing so it'll get called for all IDPs.
Azure Active Directory B2C:自定义CIAM用户之旅
这篇关于如何使用Azure B2C自定义策略在外部IDP登录期间传递和验证signInEmail声明?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!