Azure AD B2C-通过REST(Identity Experience Framework)刷新_Token刷新声明 [英] Azure AD B2C - Refresh_Token refresh claims via REST (Identity Experience Framework)

查看：55 发布时间：2020/9/16 20:02:28 azure-ad-b2c identity-experience-framework

本文介绍了Azure AD B2C-通过REST(Identity Experience Framework)刷新_Token刷新声明的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我们具有用于使用Identity Experience Framework的Azure AD B2C设置，并且在登录/注册时进行了REST调用，以通过Azure功能获得额外的安全凭据声明.效果很好.

We have Azure AD B2C setup to use Identity Experience Framework, and on sign-in/sign-up a REST call is made to get extra security credential claims via an Azure Function. This works fine.

当我们通过Azure AD B2C通过Refresh_Token请求访问/ID令牌时，看起来好像我们又获得了相同的令牌，并且它没有调用REST API来获取最新的更新的令牌声明.可以更改此用户旅程吗?

When we request an Access/Id Token via Refresh_Token via Azure AD B2C it looks like we get the same token back, and it doesn't call the REST API to get the latest updated token claims. Is it possible to make change this User Journey so it does?

是否存在另一种无需刷新令牌即可刷新令牌的解决方案?

Is there another solution to refresh token without logging in again to get latest updates?

(我们可以在代码中解决此问题，而不使用Token，但是出于各种原因，我们首先要探讨这一点.)

(We could get around this in code and not using the Token, but for various reasons we want to explore this first).

推荐答案

您可以声明刷新令牌用户旅程，该旅程将调用REST API，如下所示:

You can declare a refresh token user journey, which calls your REST API, as follows:

<UserJourney Id="TokenRefresh">
  <PreserveOriginalAssertion>false</PreserveOriginalAssertion>
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="RefreshTokenExchange" TechnicalProfileReferenceId="TpEngine_RefreshToken" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <!-- TODO: Add an orchestration step that calls the REST API. -->
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
</UserJourney>

最初的业务流程步骤调用 TpEngine_RefreshToken 技术资料，该资料从当前刷新令牌中读取 objectId 声明:

The initial orchestration step invokes the TpEngine_RefreshToken technical profile that reads the objectId claim from the current refresh token:

<ClaimsProvider>
  <DisplayName>Trustframework Policy Engine Technical Profiles</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13">
      <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>
      <Protocol Name="None" />
      <Metadata>
        <Item Key="url">{service:te}</Item>
      </Metadata>
    </TechnicalProfile>
    <TechnicalProfile Id="TpEngine_RefreshToken">
      <DisplayName>Trustframework Policy Engine Refresh Token Technical Profile</DisplayName>
      <Protocol Name="None" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
      </OutputClaims>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

第二个业务流程步骤调用 AAD-UserReadUsingObjectId 技术配置文件，该技术配置文件通过 objectId 声明从Azure AD B2C目录中读取已登录用户的声明.

The second orchestration step invokes the AAD-UserReadUsingObjectId technical profile that reads claims from the Azure AD B2C directory for the signed-in user by the objectId claim.

另一个编排步骤可以调用您的REST API.

Another orchestration step can call your REST API.

最后的业务流程步骤会发行新令牌.

The final orchestration step issues new tokens.

您必须使用带有 JwtIssuer 技术资料的 RefreshTokenUserJourneyId 元数据项来引用 TokenRefresh 用户旅程，以便由该技术发行的令牌此用户旅程刷新了个人资料:

You must reference the TokenRefresh user journey using the RefreshTokenUserJourneyId metadata item with the JwtIssuer technical profile so that tokens that are issued by this technical profile are refreshed by this user journey:

<ClaimsProvider>
  <DisplayName>Token Issuer</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="JwtIssuer">
      <DisplayName>JWT Issuer</DisplayName>
      <Protocol Name="None" />
      <OutputTokenFormat>JWT</OutputTokenFormat>
      <Metadata>
        <Item Key="client_id">{service:te}</Item>
        <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
        <Item Key="RefreshTokenUserJourneyId">TokenRefresh</Item>
        <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
        <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
      </CryptographicKeys>
      <InputClaims />
      <OutputClaims />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

这篇关于Azure AD B2C-通过REST(Identity Experience Framework)刷新_Token刷新声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

Azure AD B2C-通过REST(Identity Experience Framework)刷新_Token刷新声明 [英] Azure AD B2C - Refresh_Token refresh claims via REST (Identity Experience Framework)

问题描述

推荐答案

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

Azure AD B2C-通过REST(Identity Experience Framework)刷新_Token刷新声明 [英] Azure AD B2C - Refresh_Token refresh claims via REST (Identity Experience Framework)

问题描述

推荐答案

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

登录关闭