在我们的注册自定义政策中发送验证码之前,我收到了一个请求,要求验证电子邮件未被使用。 在我们的密码重置策略中,我们使用 DisplayControl 在发送 OTP 代码之前检查密码是否存在,并且仅在电子邮件已注册时发送 OTP。但是,我需要在注册过程中做相反的事情,只有在电子邮件尚未注册的情况下才发送代码。
我尝试使用以下内容:
<DisplayControl Id="emailVerificationControlSignUp" UserInterfaceControlType="VerificationControl">
<InputClaims>
<InputClaim ClaimTypeReferenceId="emailAddress" />
</InputClaims>
<DisplayClaims>
<DisplayClaim ClaimTypeReferenceId="emailAddress" ControlClaimType="Email" Required="true" />
<DisplayClaim ClaimTypeReferenceId="verificationCode" ControlClaimType="VerificationCode" Required="true" />
</DisplayClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="azureMfaSessionId" />
</OutputClaims>
<Actions>
<!--Before generating and sending an OTP, we first take the users email and lookup the directory for a user. If a user is returned we will have the objectId claim in the claimbag-->
<Action Id="SendCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress-emailAdressExist" ContinueOnError="true" ContinueOnSuccess="false" />
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AadSspr-SendCode">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisValidationTechnicalProfile</Action>
</Precondition>
</Preconditions>
</ValidationClaimsExchangeTechnicalProfile>
</ValidationClaimsExchange>
</Action>
<Action Id="VerifyCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AadSspr-VerifyCode" />
</ValidationClaimsExchange>
</Action>
</Actions>
</DisplayControl>
和这个技术简介
<TechnicalProfile Id="AAD-UserReadUsingEmailAddress-emailAdressExist">
<Metadata>
<Item Key="Operation">Read</Item>
<Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
<!--<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">UserMessageIfClaimsPrincipalDoesNotExist</Item>
<Item Key="UserMessageIfClaimsPrincipalAlreadyExists">UserMessageIfClaimsPrincipalAlreadyExists</Item>-->
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="emailAddress" PartnerClaimType="signInNames.emailAddress" Required="true" />
</InputClaims>
<OutputClaims>
<!-- Required claims -->
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
<!-- Optional claims -->
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="otherMails" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
实际情况是,只有在电子邮件尚未注册时才会发送 OTP,但是,即使电子邮件已注册,DisplayControl 也会始终更改以显示“验证代码/发送新代码”按钮。所以,最后会发生的情况是,如果电子邮件已被注册,则用户不会获得 OTP,只有在电子邮件尚未注册的情况下。然而,屏幕上并没有告诉用户这一点。
电子邮件已注册,用户应该看到错误消息而不是验证/发送新代码按钮
如何修复此 DisplayControl?
谢谢
答案 0 :(得分:0)
感谢您的联系。从上面共享的 DisplayControl 元素中,我可以看到用户已经从这一行准备好了:
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress-emailAdressExist" ContinueOnError="true" ContinueOnSuccess="false" />
用户读取后,检查objectid是否存在->调用claimTransform
AadSspr-SendCode
注意:不建议使用此方法,因为它可用于收集电子邮件。推荐的在所有情况下发送电子邮件进行注册的方法。