资源所有者密码凭据流 - 修改声明
Resource owner password credentials flow - modify claims
Azure B2C 的资源所有者密码凭据流现已提供预览版:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc
但是,我想修改声明(具体来说:获取用户名作为 "email" 声明)。我尝试使用文档中的流程在 IEF 中调用我现有的自定义策略,但他们不喜欢那样(不出所料)
AADB2C: An exception has occurred.
有没有办法影响此流程中的声明?
更新
在实施 Chris 的回答时,我收到了这个错误:
Unable to upload policy. Reason : Validation failed: 1 validation error(s) found in policy "B2C_1A_ROPC" of tenant "xxx.onmicrosoft.com".Claim type "email" is the output claim of the relying party's technical profile, but it is not an output claim in any of the steps of user journey "SignIn-ROPC".
我发布了一个实验性解决方案作为单独的答案。
您必须在自定义策略中实施 ROPC 流程才能在 ID 令牌中发出 "email" 声明。
要在自定义策略中实施 ROPC 流程:
1:将DefaultValue属性添加到"signInName"和"password"<InputClaim />元素中的每个login-NonInteractive 技术简介:
<TechnicalProfile Id="login-NonInteractive">
<DisplayName>Local Account SignIn</DisplayName>
<Protocol Name="OpenIdConnect" />
...
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" DefaultValue="{OIDC:Username}" />
<InputClaim ClaimTypeReferenceId="password" Required="true" DefaultValue="{OIDC:Password}" />
...
</InputClaims>
...
</TechnicalProfile>
2:创建 "ROPC" 用户旅程:
<UserJourney Id="SignIn-ROPC">
<PreserveOriginalAssertion>false</PreserveOriginalAssertion>
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="LoginNonInteractiveExchange" TechnicalProfileReferenceId="login-NonInteractive" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
3:创建 "ROPC" 依赖方技术配置文件:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignIn-ROPC" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="email" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
这是我根据 Chris 的有用回答制定的完整政策。我认为它是实验性的,因为我不完全了解索赔流程,但它运作良好。
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Override some profiles</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="login-NonInteractive">
<DisplayName>Local Account SignIn</DisplayName>
<Protocol Name="OpenIdConnect" />
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName"
PartnerClaimType="username"
Required="true"
DefaultValue="{OIDC:Username}" />
<InputClaim ClaimTypeReferenceId="password"
Required="true"
DefaultValue="{OIDC:Password}" />
</InputClaims>
</TechnicalProfile>
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
<!-- This user journey does not have any other step that provides this -->
<OutputClaim ClaimTypeReferenceId="signInName" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
<UserJourney Id="SignIn-ROPC">
<PreserveOriginalAssertion>false</PreserveOriginalAssertion>
<OrchestrationSteps>
<OrchestrationStep Order="1"
Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="LoginNonInteractiveExchange"
TechnicalProfileReferenceId="login-NonInteractive" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2"
Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId"
TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3"
Type="SendClaims"
CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
</UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId="SignIn-ROPC" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId"
PartnerClaimType="sub"/>
<!-- This works for accounts that were created via the azure portal -->
<OutputClaim ClaimTypeReferenceId="signInName"
PartnerClaimType="email" />
<!-- This works for accounts that signed up themselves -->
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress"
PartnerClaimType="email" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
Azure B2C 的资源所有者密码凭据流现已提供预览版:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc
但是,我想修改声明(具体来说:获取用户名作为 "email" 声明)。我尝试使用文档中的流程在 IEF 中调用我现有的自定义策略,但他们不喜欢那样(不出所料)
AADB2C: An exception has occurred.
有没有办法影响此流程中的声明?
更新 在实施 Chris 的回答时,我收到了这个错误:
Unable to upload policy. Reason : Validation failed: 1 validation error(s) found in policy "B2C_1A_ROPC" of tenant "xxx.onmicrosoft.com".Claim type "email" is the output claim of the relying party's technical profile, but it is not an output claim in any of the steps of user journey "SignIn-ROPC".
我发布了一个实验性解决方案作为单独的答案。
您必须在自定义策略中实施 ROPC 流程才能在 ID 令牌中发出 "email" 声明。
要在自定义策略中实施 ROPC 流程:
1:将DefaultValue属性添加到"signInName"和"password"<InputClaim />元素中的每个login-NonInteractive 技术简介:
<TechnicalProfile Id="login-NonInteractive">
<DisplayName>Local Account SignIn</DisplayName>
<Protocol Name="OpenIdConnect" />
...
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" DefaultValue="{OIDC:Username}" />
<InputClaim ClaimTypeReferenceId="password" Required="true" DefaultValue="{OIDC:Password}" />
...
</InputClaims>
...
</TechnicalProfile>
2:创建 "ROPC" 用户旅程:
<UserJourney Id="SignIn-ROPC">
<PreserveOriginalAssertion>false</PreserveOriginalAssertion>
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="LoginNonInteractiveExchange" TechnicalProfileReferenceId="login-NonInteractive" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
3:创建 "ROPC" 依赖方技术配置文件:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignIn-ROPC" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="email" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
这是我根据 Chris 的有用回答制定的完整政策。我认为它是实验性的,因为我不完全了解索赔流程,但它运作良好。
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Override some profiles</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="login-NonInteractive">
<DisplayName>Local Account SignIn</DisplayName>
<Protocol Name="OpenIdConnect" />
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName"
PartnerClaimType="username"
Required="true"
DefaultValue="{OIDC:Username}" />
<InputClaim ClaimTypeReferenceId="password"
Required="true"
DefaultValue="{OIDC:Password}" />
</InputClaims>
</TechnicalProfile>
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
<!-- This user journey does not have any other step that provides this -->
<OutputClaim ClaimTypeReferenceId="signInName" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
<UserJourney Id="SignIn-ROPC">
<PreserveOriginalAssertion>false</PreserveOriginalAssertion>
<OrchestrationSteps>
<OrchestrationStep Order="1"
Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="LoginNonInteractiveExchange"
TechnicalProfileReferenceId="login-NonInteractive" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2"
Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId"
TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3"
Type="SendClaims"
CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
</UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId="SignIn-ROPC" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId"
PartnerClaimType="sub"/>
<!-- This works for accounts that were created via the azure portal -->
<OutputClaim ClaimTypeReferenceId="signInName"
PartnerClaimType="email" />
<!-- This works for accounts that signed up themselves -->
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress"
PartnerClaimType="email" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>