将Azure AD B2C与Azure移动应用程序一起使用时，如何设置密码策略? [英] When using Azure AD B2C with Azure Mobile Apps, how is the password policy set?

问题描述

在Azure AD B2C中，注册/登录"和密码重置"具有单独的策略.我复制注册/登录"策略的元数据端点

In Azure AD B2C, there are separate policies for "Sign-up/Sign-in" and "Password reset". I copy the Metadata Endpoint for the "Sign-up/Sign-in" policy

并将其粘贴到Azure App身份验证

and paste it into the Azure App Authentication

这基本上可行，但是没有地方可以放置密码重置元数据，后者包含用于密码重置的模板.因此，我认为，当您单击忘记密码"时，您最终会得到

This basically works, but there is no place to put in the Password reset metadata which has the templates for password reset. I think as a result of this, when you click on "Forgot password", you end up with

您无权查看此目录或页面.

You do not have permission to view this directory or page.

尝试转到/xxx.onmicrosoft.com/B2C_1_b2c_sign_up_sign_in/api/CombinedSigninAndSignup/forgotPassword?csrf_token=xxx&p=B2C_1_b2c_sign_up_sign_in

at ~/.auth/login/aad/callback when trying to go to /xxx.onmicrosoft.com/B2C_1_b2c_sign_up_sign_in/api/CombinedSigninAndSignup/forgotPassword?csrf_token=xxx&p=B2C_1_b2c_sign_up_sign_in

为什么没有登录/注册/密码重置?

Why is there no Sign-in/Sign-up/Password Reset?

另外，另一个奇怪的事情是单击创建新帐户".

Also, another strange thing is clicking on Create a new account.

如果按取消"，则再次转到回调需要许可"页面.

If you press Cancel, again it goes to the callback need permission page.

我下载了策略，并且密码重设没有登录

I downloaded the policies, and the password reset has the following which is NOT in the sign in

<UserJourneys>
    <UserJourney Id="B2CPasswordResetV1">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection TargetClaimsExchangeId="PasswordResetUsingEmailAddressExchange" />
          </ClaimsProviderSelections>
        </OrchestrationStep>
      </OrchestrationSteps>
    </UserJourney>
  </UserJourneys>
  <RelyingParty>
    <DefaultUserJourney ReferenceId="B2CPasswordResetV1" />
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="emails" />
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>

更新.我刚刚找到了

创建登录或登录策略(使用本地帐户)时， 消费者会看到忘记密码?"链接在第一页上 经验.点击此链接不会自动触发 密码重置策略.而是一个特定的错误代码AADB2C90118是 返回到您的应用.您的应用需要处理此问题并调用 特定的密码重置策略.一个证明这一点的样本 将政策链接在一起的方法就在这里.

When you create a sign-up or sign-in policy (with local accounts), the consumer will see a "Forgot password?" link on the first page of the experience. Clicking on this link doesn't automatically trigger a password reset policy. Instead a specific error code AADB2C90118 is returned back to your app. Your app needs to handle this and invoke a specific password reset policy. A sample that demonstrates this approach of linking together policies is here.

看起来像被发布到回调中.因此，似乎zumo回调无法处理该错误.如果zumo回调获得状态/代码/id_token，则完成.

Looks like it gets posted to callback. So it seems that the zumo callback is not able to handle the error. If the zumo callback gets a state/code/id_token, then it goes to done.

推荐答案

不幸的是，对B2C的集成App Service支持不允许您的应用处理错误回调以重定向到您的重置密码策略.您目前的选择是:

Unfortunately the integrated App Service support for B2C doesn't allow your app to handle the error callback to redirect to your reset password policy. Your options at this point are:

1. 使用自定义CSS删除重置密码链接，或
2. 在web.config中配置自定义错误处理程序，该处理程序处理错误并允许最终用户通过将其重定向到/.auth/login/aad?p=B2C_1_B2CPasswordResetV1来调用您的密码重置策略.

1. Remove the reset password link using custom CSS or
2. Configure a custom error handler in web.config which handles the error and allows the end user to invoke your password reset policy by redirecting them to /.auth/login/aad?p=B2C_1_B2CPasswordResetV1.

我在此博客文章评论中写了一个#2的快速示例:

I wrote a quick example of #2 in this blog post comment: https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/#comment-581

这是我共享的web.config代码段，显示了如何处理此错误并重定向到您的移动后端上的静态页面:

Here is the web.config snippet I shared which shows how to handle this error and redirect to a static page on your mobile backend:

<configuration>
  <system.webServer>
    <httpErrors defaultResponseMode="File" errorMode="Custom" >
      <clear />
      <error statusCode="401" subStatusCode="73" path="MyPage.html" />
    </httpErrors>
  <system.webServer>
</configuration>

其他响应模式也可用，包括 ExecuteURL 和重定向.其中之一可能比我的使用 File 的示例更合适，具体取决于您的需求.可以在以下位置找到有关IIS自定义错误的更多详细信息: https://www.iis .net/configreference/system.webserver/httperrors#005 .

Other response modes are also available, including ExecuteURL and Redirect. One of these may be more appropriate than my example which uses File, depending on your needs. More details on IIS custom errors can be found here: https://www.iis.net/configreference/system.webserver/httperrors#005.

这篇关于将Azure AD B2C与Azure移动应用程序一起使用时，如何设置密码策略?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！