如何使用Azure B2C自定义策略在外部IDP登录期间传递和验证signInEmail声明? [英] How to pass and validate the signInEmail claim during External IDP login using Azure B2C custom policy?

问题描述

这个问题与这个问题有关.

我们要做的是:在用户单击登录"页面中的Facebook或Microsoft account或Corporate AD之类的按钮时，请调用验证技术资料来验证email地址用户正在使用的登录方式.

What we'd like to do is: at the moment the user clicks the button like Facebook OR Microsoft account OR Corporate AD in the Sign in page, call a validation technical profile to validate the email address the user is using to sign in.

我尝试添加这样的OrchestrationStep:

<OrchestrationStep Order="4" 
  Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" 
      ExecuteActionsIf="false">
      <Value>idp</Value>
      <Value>CorporateAD</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="FetchMoreClaimsExchange" 
      TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
  </ClaimsExchanges>
</OrchestrationStep>

这实际上是在调用REST-ValidateSignInEmail，因为我看到这样的URL返回错误:

This is actually calling REST-ValidateSignInEmail because I see an error returned in the URL like this:

消息is+disabled来自我放在一起的REST API，但这显然告诉我，电子邮件\ signInEmail声称它期望参数未发送\传递.

The message is+disabled is coming from the REST API I put together but this obviously tells me that the email\signInEmail claim it expects as a parameter is not being sent\passed.

这是技术资料:

<TechnicalProfile Id="REST-ValidateSignInEmail">
    <DisplayName>Validate Email</DisplayName>
    <Protocol Name="Proprietary" 
            Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
       <Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item>
       <Item Key="AuthenticationType">None</Item>
       <Item Key="SendClaimsIn">Body</Item>
    </Metadata>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" 
              PartnerClaimType="UserEmail" />
        </InputClaims>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

您能否阐明如何实现这一目标?

Can you shed some light on how to approach this?

推荐答案

通常，在我发布问题后，我都会一直在弄弄代码.

Generally after I post the question I keep fiddling with the code.

让它像这样工作:

<TechnicalProfile Id="REST-ValidateSignInEmail">
    <DisplayName>Validate Email</DisplayName>
    <Protocol Name="Proprietary" 
            Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
       <Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item>
       <Item Key="AuthenticationType">None</Item>
       <Item Key="SendClaimsIn">Body</Item>
    </Metadata>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" 
              PartnerClaimType="UserEmail" />
        </InputClaims>
        <InputClaim ClaimTypeReferenceId="email" 
              PartnerClaimType="UserEmail" />
        </InputClaims>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

请注意，我在ClaimTypeReferenceId="email"中添加了新的InputClaim. email是使用外部IDP时传递的声明值.

Note that I added a new InputClaim with ClaimTypeReferenceId="email". email is the claim value that is passed when using an external IDP.

此示例政策告诉我可以在JwtIssuer之前添加OrchestrationStep.我们也可以在没有任何此类先决条件的情况下拥有它:

This sample policy showed me that I could add the OrchestrationStep right before the JwtIssuer one. We can also have it without any preconditions like this:

<OrchestrationStep Order="7" 
   Type="ClaimsExchange">
   <ClaimsExchanges>
     <ClaimsExchange Id="REST-ValidateSignInEmail" 
       TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
   </ClaimsExchanges>
 </OrchestrationStep>

这样做会被所有IDP调用.

Doing so it'll get called for all IDPs.

Azure Active Directory B2C:自定义CIAM用户之旅

这篇关于如何使用Azure B2C自定义策略在外部IDP登录期间传递和验证signInEmail声明?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！