没有电子邮件验证步骤的Azure AD B2C密码重置策略 [英] Azure AD B2C Password Reset policy without email verification step
问题描述
是否可以创建自定义策略来重置已知电子邮件的密码?
Is it possible to create custom policy to reset password for already known email?
我使用Graph API创建用户并将邀请电子邮件发送到指定的电子邮件 地址.
I create user using Graph API and send invitation email to the specified email address.
我希望用户单击该电子邮件中的链接,然后为其帐户设置密码.
I want user to click on the link in that email and just set password for his account.
我可以使用此电子邮件声明创建签名的令牌,并将其作为断言发送到我的自定义策略.因此,保单将电子邮件作为输入声明.我在跟踪中看到了.
I can create signed token with this email claim and send as assertion to my custom policy. So policy gets email as input claim. I see it in the trace.
但是在密码重设过程中,我无法绕过电子邮件验证步骤-删除密码时,我收到500个服务器错误,而没有其他详细信息.
But I am not able to bypass email verification step in the password reset journey - when I remove it, I get 500 server error without additional detail.
我也尝试向用户发送objectId作为输入声明,但这也无济于事.
I tried to send objectId for the user as input claim as well, but it does not help either.
是否可以跳过电子邮件验证?
Is there a way to skip email verification?
推荐答案
您可以使用以下选项来改变用户体验:
You have the following options that vary the user experience:
- 将电子邮件地址显示为只读字段,并删除电子邮件验证要求.
- 删除电子邮件验证步骤.
将电子邮件地址显示为只读字段
1)创建一个readOnlyEmail声明类型:
1) Create a readOnlyEmail claim type:
<ClaimType Id="readOnlyEmail">
<DisplayName>Email Address</DisplayName>
<DataType>string</DataType>
<UserInputType>Readonly</UserInputType>
</ClaimType>
2)创建一个声明转换,将其从email声明复制到readOnlyEmail声明:
2) Create a claims transformation that copies from the email claim to the readOnlyEmail claim:
<ClaimsTransformation Id="CopyFromEmailToReadOnlyEmail" TransformationMethod="FormatStringClaim">
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" TransformationClaimType="inputClaim" />
</InputClaims>
<InputParameters>
<InputParameter Id="stringFormat" DataType="string" Value="{0}" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="readOnlyEmail" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
3)将CopyFromEmailToReadOnlyEmail声明转换作为输入的声明转换添加到LocalAccountDiscoveryUsingEmailAddress技术档案,然后将email声明类型替换为readOnlyemail作为该技术档案的输入和输出声明:
3) Add the CopyFromEmailToReadOnlyEmail claims transformation as an input claims transformation to the LocalAccountDiscoveryUsingEmailAddress technical profile and then replace the email claim type with readOnlyemail as the input and output claims for this technical profile:
<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
<DisplayName>Reset password using email address</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="IpAddressClaimReferenceId">IpAddress</Item>
<Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<IncludeInSso>false</IncludeInSso>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="CopyFromEmailToReadOnlyEmail" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="readOnlyEmail" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="readOnlyEmail" Required="true" />
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
删除电子邮件验证步骤
1)从以下位置更改PasswordReset旅程的第一步:
1) Change the first step for the PasswordReset journey from:
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
</ClaimsExchanges>
</OrchestrationStep>
收件人:
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="UserReadUsingEmailAddressExchange" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
</ClaimsExchanges>
</OrchestrationStep>
这篇关于没有电子邮件验证步骤的Azure AD B2C密码重置策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
