1

资源所有者密码凭据流现在可用于 Azure B2C 的预览:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc

但是,我想修改声明(特别是:将用户名作为“电子邮件”声明)。我尝试使用文档中的流程在 IEF 中调用我现有的自定义策略,但他们不喜欢那样(不出所料)

AADB2C:发生异常。

有没有办法影响这个流程中的声明?

更新 在实施克里斯的回答时,我收到了这个错误:

无法上传政策。原因:验证失败:在租户“xxx.onmicrosoft.com”的策略“B2C_1A_ROPC”中发现 1 个验证错误。声明类型“电子邮件”是依赖方技术配置文件的输出声明,但不是输出声明在用户旅程“SignIn-ROPC”的任何步骤中。

我发布了一个实验性解决方案作为单独的答案。

4

2 回答 2

2

这是我使用 Chris 的有用回答所采用的完整政策。我认为它是实验性的,因为我不完全理解索赔流程,但它运作良好。

<ClaimsProviders>
    <ClaimsProvider>
        <DisplayName>Override some profiles</DisplayName>
        <TechnicalProfiles>
            <TechnicalProfile Id="login-NonInteractive">
                <DisplayName>Local Account SignIn</DisplayName>
                <Protocol Name="OpenIdConnect" />
                <InputClaims>
                    <InputClaim ClaimTypeReferenceId="signInName" 
                        PartnerClaimType="username" 
                        Required="true" 
                        DefaultValue="{OIDC:Username}" />
                    <InputClaim ClaimTypeReferenceId="password" 
                        Required="true" 
                        DefaultValue="{OIDC:Password}" />
                </InputClaims>
            </TechnicalProfile>
            <TechnicalProfile Id="AAD-UserReadUsingObjectId">
                <OutputClaims>
                    <!-- This user journey does not have any other step that provides this -->
                    <OutputClaim ClaimTypeReferenceId="signInName" />
                </OutputClaims>
            </TechnicalProfile>
        </TechnicalProfiles>
    </ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
    <UserJourney Id="SignIn-ROPC">
        <PreserveOriginalAssertion>false</PreserveOriginalAssertion>
        <OrchestrationSteps>
            <OrchestrationStep Order="1" 
                Type="ClaimsExchange">
                <ClaimsExchanges>
                    <ClaimsExchange Id="LoginNonInteractiveExchange" 
                        TechnicalProfileReferenceId="login-NonInteractive" />
                </ClaimsExchanges>
            </OrchestrationStep>
            <OrchestrationStep Order="2" 
                Type="ClaimsExchange">
                <ClaimsExchanges>
                    <ClaimsExchange Id="AADUserReadWithObjectId" 
                        TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
                </ClaimsExchanges>
            </OrchestrationStep>
            <OrchestrationStep Order="3" 
                Type="SendClaims" 
                CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
        </OrchestrationSteps>
    </UserJourney>
</UserJourneys>
<RelyingParty>
    <DefaultUserJourney ReferenceId="SignIn-ROPC" />
    <TechnicalProfile Id="PolicyProfile">
        <DisplayName>PolicyProfile</DisplayName>
        <Protocol Name="OpenIdConnect" />
        <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="objectId" 
                PartnerClaimType="sub"/>
            <!-- This works for accounts that were created via the azure portal -->
            <OutputClaim ClaimTypeReferenceId="signInName" 
                PartnerClaimType="email" />
            <!-- This works for accounts that signed up themselves -->
            <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" 
                PartnerClaimType="email" />
        </OutputClaims>
        <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
</RelyingParty>
于 2018-07-28T21:49:36.317 回答
2

您必须在自定义策略中实施 ROPC 流程才能在 ID 令牌中发出“电子邮件”声明。

要在自定义策略中实施 ROPC 流程:

1:将属性添加到login-NonInteractive技术配置文件中的DefaultValue每个“signInName”和“password”<InputClaim />元素:

<TechnicalProfile Id="login-NonInteractive">
  <DisplayName>Local Account SignIn</DisplayName>
  <Protocol Name="OpenIdConnect" />
  ...
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" DefaultValue="{OIDC:Username}" />
    <InputClaim ClaimTypeReferenceId="password" Required="true" DefaultValue="{OIDC:Password}" />
    ...
  </InputClaims>
  ...
</TechnicalProfile>

2:创建“ROPC”用户旅程:

<UserJourney Id="SignIn-ROPC">
  <PreserveOriginalAssertion>false</PreserveOriginalAssertion>
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="LoginNonInteractiveExchange" TechnicalProfileReferenceId="login-NonInteractive" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
</UserJourney>

3:创建“ROPC”依赖方技术配置文件:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignIn-ROPC" />
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
      <OutputClaim ClaimTypeReferenceId="email" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
  </TechnicalProfile>
</RelyingParty>
于 2018-07-26T23:29:55.940 回答