具有自定义策略的Azure AD B2C:无法使用临时密码对用户进行身份验证 [英] Azure AD B2C with custom policies: Unable to authenticate user with temporary password
问题描述
我已使用自定义策略配置了Azure AD B2C,但无法通过Azure门户中创建的新用户进行身份验证.用户有一个临时密码.即使用户名和密码正确,Azure AD B2C也会返回错误文本无效的用户名或密码.
I have configured Azure AD B2C with custom policies but I am unable to authenticate with a new user created in the Azure portal. The user has a temporary password. Azure AD B2C returns the error text Invalid username or password, even though the username and password is correct.
我已经确认可以使用非自定义策略在Azure AD B2C中使用新用户和临时密码登录.登录后,系统会提示用户更改密码.
I have confirmed that it is possible to login with the new user and temporary password in Azure AD B2C using non custom policies. After logging in, the user gets prompted to change their password.
可以使用本指南中描述的自定义策略来重现该问题: 开始使用自定义策略
The problem can be reproduced using the custom policies described in this guide: Get started with custom policies.
其他信息:
我已经在UserJourneyRecorderEndpoint中配置了b2crecorder https://b2crecorder.azurewebsites.net/stream?id=<guid>
.通过https://b2crecorder.azurewebsites.net/trace_102.html?id=<guid>
I have configured the b2crecorder https://b2crecorder.azurewebsites.net/stream?id=<guid>
in the UserJourneyRecorderEndpoint. Which gives access to more information through https://b2crecorder.azurewebsites.net/trace_102.html?id=<guid>
该问题导致以下日志记录:
The problem result in the following logging:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Using validation endpoint at: https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(d56987e9-be2e-46fc-a7a4-23e317f8f174) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
推荐答案
最常见的原因是未执行授予权限.
The most common reason for this that Grant Permissions has not been executed.
在"ProxyIdentityExperienceFramework应用程序"上->选中Access IdentityExperienceFramework的复选框->单击选择",然后单击完成",您还必须完成下一步:
On the "ProxyIdentityExperienceFramework application" -> after selecting the checkbox for Access IdentityExperienceFramework -> clicking on Select and hitting Done, you must also complete the next step:
选择授予权限,然后选择是进行确认.
Select Grant Permissions, and then confirm by selecting Yes.
抱歉,在仔细阅读您的情况后,注册或登录策略"或自定义策略"均不支持Azure Active Directory forceChangePasswordNextLogin
标志. (forceChangePasswordNextLogin
仅适用于注册策略").有一个
Sorry, after reading your situation carefully, both a "sign-up or sign-in policy" or "custom policy" do not support the Azure Active Directory forceChangePasswordNextLogin
flag. (forceChangePasswordNextLogin
will only work with a "sign-up policy") There is a feature request tracking this here.
这篇关于具有自定义策略的Azure AD B2C:无法使用临时密码对用户进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!