标签: identity-experience-framework

我们在注册过程中使用 Azure AD B2C 自定义策略，并且在使用 AAD-UserWriteUsingLogonEmail 技术配置文件在 Azure AD B2C 中实际创建用户之前，我们有多个步骤（多个屏幕）。

假设我们有由以下 3 个技术配置文件定义的 3 个步骤：

第一步：

<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail-FirstStep">
      <DisplayName>Email signup</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
        <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
        <Item Key="EnforceEmailVerification">True</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="email" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="title" Required="true"/>
        <OutputClaim ClaimTypeReferenceId="givenName" Required="true"/>
        <OutputClaim ClaimTypeReferenceId="surName" Required="true"/>
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
        <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
      </OutputClaims>
      <!-- no user created at this point -->
    </TechnicalProfile>

第二步 ：

<TechnicalProfile …

我按照这篇文章将电子邮件和displayName作为id_token_hint传递给我的自定义策略。以下是我用来提取数据的技术简介：

      <TechnicalProfiles>
        <TechnicalProfile Id="IdTokenHint_ExtractClaims">
          <DisplayName> My ID Token Hint TechnicalProfile</DisplayName>
          <Protocol Name="None" />
          <CryptographicKeys>
            <Key Id="client_secret" StorageReferenceId="B2C_1A_ClientAssertionSigningKey" />
          </CryptographicKeys>  
          <OutputClaims>
            <!--Sample: Read the email cliam from the id_token_hint-->
            <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="newUserEmail"/>
            <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName"/>
          </OutputClaims>
        </TechnicalProfile>

问题是，我只能提取电子邮件值。未提取 displayName 声明类型。我检查了jwt.ms中的id_token_hint值，其中存在电子邮件和 displayName 的值。我该如何解决这个问题？

关于子旅程的文档似乎有限。https://learn.microsoft.com/en-us/azure/active-directory-b2c/subjourneys

我在 SubJourney 中遇到一个问题，我读取用户并获取对象 ID。在主 UserJourney 中，我后来使用该对象 Id 再次读取用户，但它抱怨。

尽管 objectId 是子旅程第一步中的输出声明，但主用户旅程无法使用该输出。

<SubJourneys>
        <SubJourney Id="ResetPhoneNumberOnAccount" Type="Call">
            <OrchestrationSteps>
                <!-- Look to see if the user exists if its a phone recovery -->
                <OrchestrationStep Order="1" Type="ClaimsExchange">
                    <ClaimsExchanges>
                        <ClaimsExchange Id="CheckIfUserExists" TechnicalProfileReferenceId="AAD-UserDiscoveryUsingLogonPhoneNumber-FullProfile" />
                    </ClaimsExchanges>
                </OrchestrationStep>
           <!-- Other Step -->
    </SubJourney>
</SubJourneys>

AAD-UserDiscoveryUsingLogonPhoneNumber-FullProfile 定义：https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/scenarios/phone-number-passwordless/Phone_Email_Base.xml#L905

SubJourneys 是否无法向链上发送输出声明？

我正在尝试根据我们的策略生成访问令牌，但出现此错误。

AADB2C90086: The supplied grant_type [client_credentials] is not supported.

这是邮递员请求示例

POST /{tenant}/oauth2/token?p=B2C_1A_SignUpOrSignInWithAAD HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=client_credentials&client_id={client_id}&resource=https%3A%2F%2F{app_url}&client_secret={client_secret}

但如果我不使用我们的自定义策略而直接转到 B2C 租户，它就可以正常工作

POST /{tenant}/oauth2/token?api-version=1.0
... same as above

我们的自定义策略中是否缺少某些内容？

设想：

当我开始使用 AAD B2C 自定义策略进行测试时，我使用了这个示例： active-directory-b2c-custom-policy-starterpack/SocialAndLocalAccounts/

我参考了这个文档来开始。

我按照这些步骤更改了示例中的一些值，并仔细检查了 client_id 和 resource_id。当我尝试运行注册或登录策略时，我无法使用本地帐户登录并出现错误：（虽然我可以使用社交帐户登录）

无效的用户名或密码

我使用 Fiddler 来捕获流量，这是我遇到错误时的请求和响应：

要求：

POST



https://login.microsoftonline.com/yangsa.onmicrosoft.com/B2C_1A_signup_signin/SelfAsserted?tx=StateProperties=eyJUSUQiOiI1NjMyNTc1OS1lZjFiLTRhNzctYmRkOS1jOGRjZmZhZmUxZGEifQ&p=B2C_1A_signup_signin HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: application/json, text/javascript, */*; q=0.01
X-CSRF-TOKEN: RUF6Zk1MMFBHcVQxeHlNV2x0K2dnN21SVy9aMlN3M1R1WmxSOWdOUXhFTitDaGxOTFJoVGgwWFNLT0lKZ2JCcHdETFR1aUxtNFVDMmp0R2NkOE1RNXc9PTsyMDE4LTA3LTEyVDEwOjMzOjMyLjMyNjM0MTJaOy9IY3JiQmxESUhEcEQ4SWd1SXp6Q1E9PTt7Ik9yY2hlc3RyYXRpb25TdGVwIjoxfQ==
X-Requested-With: XMLHttpRequest
Referer: https://login.microsoftonline.com/yangsa.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_signup_signin&client_id=cec7ec64-0a28-4914-ab1a-8f951fd27b1d&nonce=defaultNonce&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid&response_type=id_token&prompt=login
Accept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: login.microsoftonline.com
Content-Length: 69
Connection: Keep-Alive
Cache-Control: no-cache
x-ms-RefreshTokenCredential: eyJhbGciOiJIUzI1NiIsICJjdHgiOiJ3ejBCZW9uc0NWNkE4bVRNQURzZ29hcnl1bWV5VlFzbyJ9.eyJyZWZyZXNoX3Rva2VuIjoiQVFBQkFBQUFBQURYelozaWZyLUdSYkRUNDV6TlNFRkVoQWRiOXlnU2RyMjVfdzBtUzZaQTB3U2dlWmFNWUNzQmlxUTUyQnBzZ0w5ZUZqeXpPZXduX3MzblFsSnFyUWNsRTNzM205QVEzd0VsRC1OVDNFQ2VDank5SDFFQnVmLTFyRVd6T2JKTFNnc240ODc3SFY3UU15ZUlOZmhfWnFYWE1kMDFSRjUtZVJBWEl1TElmUTA1Ym9sa21wMmM2OTBZdmtzZFE0SEhjOTF2eXh2c2xqcUU2N3RVQ0l4a012Q2Z5UG9fUldLTlRtNUMwOXhVUzRBRFFXWlZLQVdETDJSU1dsT1BHcXBCQnR3Y2ZmTW1HdldZSll2RTZfQU5BQkduNGwwdm9neHB5ek8yVmY1V0hFdUVvUEgzWXcxenQ3UUd3T0lFZWlJMFRneFBtN0ZYempFWUVGd2lwckFYSmxYY3JMQ2M3Q0JpY3ktckRoQmRJaFBaLXFDbWU2SlVhU19HQjZRZzR1QnFzdmlVZjgwRWxoUmZZVnZISXp6R0tEQ1lWOXhmVkd3c3VLOFJaLVQ5dlZ1bGdGX0dqS1J3aWI1NWd2SVo2TkhjRWRXaEtoLXBtRVNRVnpHd3pxWXp3cXVxVUROMFU4ZTh0WmdmY0dsNGR2M2Vrc0NBR3lzSHdqa2RvRGRlc19FemZ2NllpdU1XcUFHbE5rWVFjQnBaRnFacEtjUHlocjhhdzFVSjRHcUtVU29wX2wzblZTVkpCNFpzR1FTaE05ck1RMDhwUFBwOU5DNkF2ZkVxSk14NzNNcHNSUHVEakRBZXlCdDNVNGtxNmpfYk9OaDBRMUVIa09vdlQyTVlsM2h1eFV1SVlZaTlMSFpwX2Z4YkthTEZiMGVmT3ZlN24yM2lzdklCd3FYQk1KdE9HeTZhZ3h4cEFWWUdtMmNQSlk2SVBnNHJVQ0o3MzJueWI4V2NwMVJXSjNnT3BoRXdXVmpNTHNSN0treENBd2pQLWt3d3c1bmxabDJsRk03VXFKRVBhYi1qUlQ3amlCcl9XZ0IyNHRibFlwMkZ6a3dHVWtqRVN2QzlNbk16a1JrV2ZTTUdvUGE5Wk9Hek1adHF5WXA2d0w4VmVENmdoQmlLQ295RE83X3g0ZUcybDhQb0RMdldjUjJJd3RSZ0lQNFVueXRjRXRIbEVRelJuQnBLOEFlVmUzb2p0UklQU00zZTRUUEdBYXc2eEdpTnNMQ09vMVMzUGdiTUxCSUNWUExtSjl5N2EtcktnRmtsVnNJUFlHVmZsZndweG1PQ2dZMS1KWmVWM0NkM2liQU9ydkhmcEdCS1BQdThfeDlwNVF2UExHNXZRbWoyUngtbmUzVUVPSFh1bXp0OXR3TUgyemo5MEt5U3AwZU0tT3dSV3Y1UmVhYm1TV2o0WlJsZWhqbWc1SDlVcjdXaVdCNFFNdXBNMk1nandVYzU5ZVN5bFFENlZIcnVFNUFYNUdDQkQzbDhidTRYTFJIYWtDem5HMW9ENDBrYnowR3dmOWZjSEhDUWlhSTlNZk8zU2ZQbnJ0RjBnc0p1UkhyLXI5LWsxMHJIREY1emdoX1d0ekp2Q2NzOGtJY0VoVmlLRFBraUxuMWdJX0RDYkhJcjBGQzlLejc1SUF4blhZZnVYZkwySUFBIiwgImlzX3ByaW1hcnkiOiJ0cnVlIiwgImlhdCI6IjE1MzEzOTE2MjEifQ.Gg4EVoJVWmdpOHZOzOkfSibkrh0sYLpnhobh9vtDbeU
Cookie: buid=AQABAAEAAADXzZ3ifr-GRbDT45zNSEFEoFnVsZyiuDhk01_58h3gTuhxkuN4glzV70KOD4qXb3cul77hhZKHSKMCSE9cqbRZg3g4zUtg_rpagH16M-Nu5FB4y5bgt6lMhCIu7-Ki4X0dKeAmsUrlZRq405IXm2RLetetoIpHe0MgEOTC8JwY2eCfdKjf_Bhx0dL_nTimHn4gAA; CCState=Q3VJRENqOTJMWGRoZVhsaGJrQnRhV055YjNOdlpuUXVZMjl0ZkdGd2NEcGpORFJpTkRBNE15MHpZbUl3TFRRNVl6RXRZalEzWkMwNU56UmxOVE5qWW1SbU0yTVNrd013Z2dHUEJna3Foa2lHOXcwQkJ3T2dnZ0dBTUlJQmZBSUJBREdDQVVnd2dnRkVBZ0VBTUN3d0ZURVRNQkVHQTFVRUF4TUtUVk5KVkNCRFFTQmFNZ0lUVmdCUUQyeTQ1d2cwQlZuMkNBQUFBRkFQYkRBTkJna3Foa2lHOXcwQkFRRUZBQVNDQVFDTzlidFlmbkFKL2lSL3Q2VWNSNS9Wd3BTRk1RQzI1cE5iS2ZLMWY2ZGh1c3lpQkxMVkpKQ3BTMUd0RUNUVEl4WVRWUDdFaDVJQnRUVWxkbnNzcU42SDJVSHh5R2FCa1V3TmdzSGVJbnFyNTRmQldWZGZUeFpDOGN2bHNOVlRGODlrQ21SSVZPSFBpcmZ4d3c2RVU0dm9wdTFXUThPWXJOWmZSTXVaM0pYejZlQW9vVUxMVzBUTmF2MUdoMTRZbTFPTVdMQ25RV2JYR2pZWlNSTWpOYlBqYjUyL1E2Q3VJSFJjS1dLSm1xSjVHU0U1Q1JocTFpaWdRUjlyUXQ1RU83QWxEVjFJOTQwVHVDazVTcXExdWg0cnBLMzgvc1dicVA3K29Pd09HekpmVVZtYjZoZFJkTitnNHJFbUtQZVl3eko3QStVNWR2SlVzbG90aURvOVJhKzlNQ3NHQ1NxR1NJYjNEUUVIQVRBVUJnZ3Foa2lHOXcwREJ3UUlsRDhyYm9QMjFUYUFDRUUvU2pRMGlHaHFHZ2tKRjArTnlCTG4xVWdTRWdvUWYrUVFJMXhGaUVXbHh4VmhOOFZQS2hvSkNSZXRYWHNUNTlWSQ==; ESTSAUTHPERSISTENT=AQABAAQAAADXzZ3ifr-GRbDT45zNSEFE1D-i4sTI4bxMS3YG2_xDXp4yTXqZSiUHyY4ul731zw7SXGGIFxbywIo1SPbnI4jt3--AWzXxi_t3TOAUSTHcP7GmFG5M_XmldgDdZwx3po9Gr51ZGKrG8XoWYd26XFqopxJ1h-q7oWvXdN-5T0odxC-f4qwnqOodnM9QS7nU1m-gKtYqZS9PIvMoNw1Eb1Lv4Cb9Rctu6N2q85C1nYaLEbjtnCkAHrTOgCNDM8C-zYIGLOzZ7DR0rFEfnV8o0niSO0oUO-e9t3fXssDHYMaUqhDLTt8hDUR1KqU2lPew5JAAzqh1pTiiDY7IYV7SE5lqH-dNGeavEkwMqde1rtUGJTQPCvimMnNGoDysrW4yXzPmnAQPc8Sn8Glx7mMwbPzntQ8kYB6sTijcbH_no0QyTuiCn0528glk6Z6p1TXLdky0mmCB0AxlVM0Xccm8oqlti5AzMulnsEDUdM7gLi1PgA_uPxJ1UTM-DO0RxUY5-Q6scRf-VSzwQnMlkTWH9PRiesxnSODFvQs-aIojw1tC0ahuX7ZfcvEXQmZG4VOQ04nnqcWje-6510jAK-lx5VtMw3JKTQzydei_mXydArKXlKmBYD-GgN2iCfKcm6Sx22jFFSM34979ZtTY0xcBtpxbrtvt_o4LkwxJqKhC_cb9vALt3YguankBPShoBSzBPq6_sfyb8nxGdOPv7bTcZ9h1RFt0fXcMvuhwfdnbjfL6HnNYMajoOOmk3cRlyE4gPmkFOSotod4467QrCms-NcOIrQenzv6xwUx3SPlyCoPuTyifP0PdMZk7aASltHP5PkFQKXm5ebZviQ_mThAYdAHmCdDnX3faBWaNZmgKCNodrOOwxQA_VNGUoniXLOnX4oQgACAAQAAQAgAA; x-ms-cpim-csrf=RUF6Zk1MMFBHcVQxeHlNV2x0K2dnN21SVy9aMlN3M1R1WmxSOWdOUXhFTitDaGxOTFJoVGgwWFNLT0lKZ2JCcHdETFR1aUxtNFVDMmp0R2NkOE1RNXc9PTsyMDE4LTA3LTEyVDEwOjMzOjMyLjMyNjM0MTJaOy9IY3JiQmxESUhEcEQ4SWd1SXp6Q1E9PTt7Ik9yY2hlc3RyYXRpb25TdGVwIjoxfQ==; x-ms-cpim-cache:wvcyvhvvd0q92cjc_6_h2g_0=m1.S3dACHsvLvIU9jhT.XNaZIn7mQAXBmNMOG0OeZw==.0.qqrYwNxX97Mf7xsSucScE/lnsINSDQQEECciCSWF7lWoCSaJE4jE3k8gamxe27Y2LDYWRgAUQpLIwaq7Sy4bzHmpz6RW/6Eb0A+2EGYcOzEaCFdnyLgaYAAHJYSgFIi07woKxFS8XlaRNBPFhiN/oa9Cpx5FlKflK0zFI5kFlcCzs4ezScCoAGF37FqMhgF7bzMvEVlat7nFioDK5PujkHHasjBUx5GzIHcs/N+TKCGF2Q1laAXaQIqXRmAtsoW+c1W1jU2RgGOcEQumixZgr1V00CYan/Gl2CZrKcIzyieb0ZbLxInF4SKSzy2o4IGbAPD175IFRCvFVNx87OB3mi0BG7dRmJqVFIM/No+QhAg1Bn3rWc279ggANB5W2WqPBum4UCnbwGGdUncuaiMvzYzNGBEehbDhA2HMGyNSSB+/pyGlFQfrfAB1u6FMYaLRYrjistDBAtnDuc0vwbCru4UTZpL2tSsaZ9G3C1hRNEcyr3KPVdwbp4LWKCec7RXY0CMq+eDO0TDZytaZODlN; x-ms-cpim-trans=eyJUX0RJQyI6W3siSSI6IjU2MzI1NzU5LWVmMWItNGE3Ny1iZGQ5LWM4ZGNmZmFmZTFkYSIsIlQiOiJ5YW5nc2Eub25taWNyb3NvZnQuY29tIiwiUCI6IkIyQ18xQV9zaWdudXBfc2lnbmluIiwiQyI6ImNlYzdlYzY0LTBhMjgtNDkxNC1hYjFhLThmOTUxZmQyN2IxZCIsIlMiOjEsIk0iOnt9LCJEIjowfV0sIkNfSUQiOiI1NjMyNTc1OS1lZjFiLTRhNzctYmRkOS1jOGRjZmZhZmUxZGEifQ==; x-ms-gateway-slice=001-000; stsservicecookie=cpim_te

request_type=RESPONSE&signInName=547541640%40qq.com&password=Password**

回复：

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/json; …

我正在尝试根据我的自定义属性的值引入新的编排步骤。我的要求是，仅当 myattribute(boolean attribute) 的值设置为 true 时，我才想执行编排步骤。myattribute 的值设置为 true 或 false。我正在做这样的事情。

<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
  <Value>False</Value>
  <Value>extension_myattribute</Value>
  <Action>SkipThisOrchestrationStep</Action>
</Precondition>

但是无论 myattribute 的值如何，都不会跳过这一步。我已将 myattribute 添加为 AAD-UserReadUsingObjectId 的 OutPutClaims 的一部分。我可以在 C# 中看到 extension_myattribute 的值。

任何指向比较值的示例的指针都会对我有很大帮助。

您好，我正在尝试编写一个 azure b2c 自定义策略，该策略将电子邮件验证与 sendgrid（显示控制）发送自定义电子邮件分开，然后要求用户输入姓名等值。

我使用以下技术配置文件来获取电子邮件并使用 sendgrid 和显示控件通过自定义邮件对其进行验证：

   <TechnicalProfile Id="EmailVerification">
      <DisplayName>Initiate Email Address Verification For Local Account</DisplayName>
      <Protocol Name="Proprietary"
                Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
        <Item Key="language.button_continue">Continue</Item>

         <!--OTP validation error messages-->
        <Item Key="UserMessageIfSessionDoesNotExist">You have exceed the maximum time allowed.</Item>
        <Item Key="UserMessageIfMaxRetryAttempted">You have exceed the number of retries allowed.</Item>
        <Item Key="UserMessageIfInvalidCode">You have entered the wrong code.</Item>
        <Item Key="UserMessageIfSessionConflict">Cannot verify the code, please try again later.</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="email" />
      </InputClaims> …

我正在尝试在 Azure AD B2C 租户中创建自定义策略。但是“添加”和“上传策略”这两个按钮都被禁用了。看起来自定义策略迄今尚未启动。是这样吗？我搜索了很多，但找不到任何表明是否已启动自定义策略的文件。我的要求是能够：

1) 更改电子邮件地址 2) 更改密码