资源所有者密码凭证流-修改声明

时间:2018-07-26 18:26:26

标签: azure azure-ad-b2c identity-experience-framework

Azure B2C的预览版中现在提供了资源所有者密码凭据流:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc

但是,我想修改声明(特别是:将用户名作为“电子邮件”声明)。我尝试仅使用文档中的流程在IEF中调用现有的自定义策略,但是他们并不喜欢那样(毫无疑问)

  

AADB2C:发生异常。

有没有办法影响这一流程中的主张?

更新 实施克里斯的答案时,出现此错误:

  

无法上传政策。原因:验证失败:在租户“ xxx.onmicrosoft.com”的策略“ B2C_1A_ROPC”中发现1个验证错误。声明类型“ email”是依赖方的技术档案的输出声明,但不是输出声明用户访问“ SignIn-ROPC”的任何步骤。

我发布了一个实验性解决方案作为单独的答案。

2 个答案:

答案 0 :(得分:1)

您必须在自定义策略中实现ROPC流,以便在ID令牌中发出“电子邮件”声明。

要在自定义策略中实现ROPC流:

1:将<InputClaim />属性添加到 login-NonInteractive 技术资料中的每个“ signInName”和“ password” <TechnicalProfile Id="login-NonInteractive"> <DisplayName>Local Account SignIn</DisplayName> <Protocol Name="OpenIdConnect" /> ... <InputClaims> <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" DefaultValue="{OIDC:Username}" /> <InputClaim ClaimTypeReferenceId="password" Required="true" DefaultValue="{OIDC:Password}" /> ... </InputClaims> ... </TechnicalProfile> 元素中:

<UserJourney Id="SignIn-ROPC">
  <PreserveOriginalAssertion>false</PreserveOriginalAssertion>
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="LoginNonInteractiveExchange" TechnicalProfileReferenceId="login-NonInteractive" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
</UserJourney>

2:创建“ ROPC”用户历程:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignIn-ROPC" />
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
      <OutputClaim ClaimTypeReferenceId="email" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
  </TechnicalProfile>
</RelyingParty>

3:创建“ ROPC”依赖方技术资料:

rsync -a --progress username@remote_host:destination_directory ~/dir1

答案 1 :(得分:0)

这是我使用克里斯的帮助性答案所必须遵循的完整政策。我认为它是实验性的,因为我不完全理解索赔流程,但是效果很好。

<ClaimsProviders>
    <ClaimsProvider>
        <DisplayName>Override some profiles</DisplayName>
        <TechnicalProfiles>
            <TechnicalProfile Id="login-NonInteractive">
                <DisplayName>Local Account SignIn</DisplayName>
                <Protocol Name="OpenIdConnect" />
                <InputClaims>
                    <InputClaim ClaimTypeReferenceId="signInName" 
                        PartnerClaimType="username" 
                        Required="true" 
                        DefaultValue="{OIDC:Username}" />
                    <InputClaim ClaimTypeReferenceId="password" 
                        Required="true" 
                        DefaultValue="{OIDC:Password}" />
                </InputClaims>
            </TechnicalProfile>
            <TechnicalProfile Id="AAD-UserReadUsingObjectId">
                <OutputClaims>
                    <!-- This user journey does not have any other step that provides this -->
                    <OutputClaim ClaimTypeReferenceId="signInName" />
                </OutputClaims>
            </TechnicalProfile>
        </TechnicalProfiles>
    </ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
    <UserJourney Id="SignIn-ROPC">
        <PreserveOriginalAssertion>false</PreserveOriginalAssertion>
        <OrchestrationSteps>
            <OrchestrationStep Order="1" 
                Type="ClaimsExchange">
                <ClaimsExchanges>
                    <ClaimsExchange Id="LoginNonInteractiveExchange" 
                        TechnicalProfileReferenceId="login-NonInteractive" />
                </ClaimsExchanges>
            </OrchestrationStep>
            <OrchestrationStep Order="2" 
                Type="ClaimsExchange">
                <ClaimsExchanges>
                    <ClaimsExchange Id="AADUserReadWithObjectId" 
                        TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
                </ClaimsExchanges>
            </OrchestrationStep>
            <OrchestrationStep Order="3" 
                Type="SendClaims" 
                CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
        </OrchestrationSteps>
    </UserJourney>
</UserJourneys>
<RelyingParty>
    <DefaultUserJourney ReferenceId="SignIn-ROPC" />
    <TechnicalProfile Id="PolicyProfile">
        <DisplayName>PolicyProfile</DisplayName>
        <Protocol Name="OpenIdConnect" />
        <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="objectId" 
                PartnerClaimType="sub"/>
            <!-- This works for accounts that were created via the azure portal -->
            <OutputClaim ClaimTypeReferenceId="signInName" 
                PartnerClaimType="email" />
            <!-- This works for accounts that signed up themselves -->
            <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" 
                PartnerClaimType="email" />
        </OutputClaims>
        <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
</RelyingParty>
相关问题
最新问题