使用LinkedIn作为具有Identity Experience Framework的社交提供程序登录时,声明sub有时会在声明值中返回以下错误消息:
"Not supported currently. Use oid claim."
错误似乎是随机出现的,而不是每个请求。在https://jwt.ms
中进行检查时,我们的测试帐户会获得正确的索赔在Application Insights中检查来自UserJourneyRecorder的日志文件时,会发现错误消息并将其追溯到我们的应用程序。
在策略文件中,错误似乎来自声明转换器CreateSubjectClaimFromAlternativeSecurityId
<ClaimsTransformation Id="CreateSubjectClaimFromAlternativeSecurityId" TransformationMethod="CreateStringClaim">
<InputParameters>
<InputParameter Id="value" DataType="string" Value="Not supported currently. Use oid claim." />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sub" TransformationClaimType="createdClaim" />
</OutputClaims>
</ClaimsTransformation>
我相信Azure AD B2C应该在此处抛出异常,而不是在单个声明中提供错误消息?
答案 0 :(得分:0)
如果您已按照&#34; Azure Active Directory B2C: Add LinkedIn as an identity provider by using custom policies&#34;文章,然后您可以从&#34; LinkedIn-OAUTH&#34;中删除<OutputClaimsTransformation />技术简介:
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<!-- REMOVE THE FOLLOWING LINE -->
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
如果您使用the custom policy starter packs中的一个,那么&#34; sub&#34;声明应设置为the relying party policy file中用户对象的对象标识符:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>