每个用户在创建后都拥有一个自定义属性“ IsApproved”,该属性是一个布尔值,用于告知管理员是否已批准该用户登录。在用户创建时将其设置为false。如果用户被批准,我们不希望其能够登录。但是,我找不到办法。
我尝试使用OrchestrationSteps,跳过了一个SendClaims,以便登录无法完成,但是随后到达空白页面。我不知道是否有方法可以重定向到新的html页面,甚至还有更好的方法来实现我的预期。
我对TrustFrameworkExtensions.xml中的OrchestrationSteps进行了一些更改,以在未批准用户时尝试重定向到自定义HTML页面(SendClaims步骤为跳过,我尝试进行ClaimsExchange):
<UserJourneys>
<UserJourney Id="SignUpOrSignIn">
<OrchestrationSteps>
<OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>extension_isApproved</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>extension_isApproved</Value>
<Value>False</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
</OrchestrationStep>
<OrchestrationStep Order="5" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>extension_isApproved</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>extension_isApproved</Value>
<Value>False</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="RedirectToErrorPage" TechnicalProfileReferenceId="RedirectToErrorPageForIsApproved" />
</ClaimsExchanges>
</OrchestrationStep>
</OrchestrationSteps>
</UserJourney>
RedirectToErrorPageForIsApproved技术配置文件为:
<ClaimsProvider>
<DisplayName>Redirect if account not approved</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="RedirectToErrorPageForIsApproved">
<DisplayName>Redirect if account not approved</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.redirectisapproved</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
ContentDefinition为:
<ContentDefinition Id="api.redirectisapproved">
<LoadUri>https://{Settings:BlobName}.blob.core.windows.net/{Settings:StorageFolderName}/html/Hello_world.html</LoadUri>
<RecoveryUri>https://{Settings:BlobName}.blob.core.windows.net/{Settings:StorageFolderName}/html/Hello_world.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.0</DataUri>
<Metadata>
<Item Key="DisplayName">Redirect if account not approved</Item>
</Metadata>
</ContentDefinition>
一切都在TrustFrameworkExtensions.xml中。最好的实现方法,即使那不是我在这里尝试的原因(因为我不知道怎么做),在输入用户凭据时,如果在电子邮件字段上方出现红色消息,例如“您仍未获得批准”(就像密码无效时一样),但是我对它是否可行持任何建议。
谢谢!
答案 0 :(得分:0)
以下解决方案将为您提供正确的用户名或密码的体验。
创建 ClaimsTransformation :
<ClaimsTransformation Id="CompareApprovalAttribute" TransformationMethod="AssertBooleanClaimIsEqualToValue">
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_isApproved" TransformationClaimType="inputClaim" />
</InputClaims>
<InputParameters>
<InputParameter Id="valueToCompareTo" DataType="boolean" Value="true" />
</InputParameters>
</ClaimsTransformation>
技术资料:
<TechnicalProfile Id="ApprovalState">
<DisplayName>Check the User Login State</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_isApproved" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CompareApprovalAttribute" />
</OutputClaimsTransformations>
</TechnicalProfile>
登录技术资料:
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<DisplayName>Local Account Signin</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="SignUpTarget">SignUpWithLogonEmailExchange</Item>
<Item Key="setting.operatingMode">Email</Item>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
<Item Key="language.forgotpassword_link"></Item>
<Item Key="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">You are not allowed to login</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
<OutputClaim ClaimTypeReferenceId="password" Required="true" />
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
<ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId" />
<ValidationTechnicalProfile ReferenceId="ApprovalState" />
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
在“ AAD-UserReadUsingObjectId”技术资料中添加以下行:
<OutputClaim ClaimTypeReferenceId="extension_isApproved" />
注意:
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.0</DataUri>
仅当B2C中存在任何未处理的异常时,才会调用此内容定义。