使用 CreateSubjectClaimFromAlternativeSecurityId 时在声明子中使用 Azure B2C 的错误消息:"Not supported currently. Use oid claim."
Error message using Azure B2C in claim sub when using CreateSubjectClaimFromAlternativeSecurityId: "Not supported currently. Use oid claim."
当使用 LinkedIn 作为具有身份体验框架的社交提供者登录时,声明 sub 有时 returns 声明值中的以下错误消息:
"Not supported currently. Use oid claim."
错误似乎是随机出现的,而不是在每个请求中出现。我们的测试帐户在 https://jwt.ms
中检查时得到正确的索赔子
在 Application Insights 中检查来自 UserJourneyRecorder 的日志文件时,错误消息被发现并追溯到我们的应用程序。
在策略文件中,错误似乎源自声明转换器 CreateSubjectClaimFromAlternativeSecurityId
<ClaimsTransformation Id="CreateSubjectClaimFromAlternativeSecurityId" TransformationMethod="CreateStringClaim">
<InputParameters>
<InputParameter Id="value" DataType="string" Value="Not supported currently. Use oid claim." />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sub" TransformationClaimType="createdClaim" />
</OutputClaims>
</ClaimsTransformation>
我认为 Azure AD B2C 应该在此处抛出异常而不是在单个声明中给出错误消息?
如果您关注了“Azure Active Directory B2C: Add LinkedIn as an identity provider by using custom policies”一文,那么您可以从 "LinkedIn-OAUTH" 技术资料中删除 <OutputClaimsTransformation />:
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<!-- REMOVE THE FOLLOWING LINE -->
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
如果您使用 the custom policy starter packs, then the "sub" claim should be set to the object identifier for the user object in the relying party policy file 之一:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
当使用 LinkedIn 作为具有身份体验框架的社交提供者登录时,声明 sub 有时 returns 声明值中的以下错误消息:
"Not supported currently. Use oid claim."
错误似乎是随机出现的,而不是在每个请求中出现。我们的测试帐户在 https://jwt.ms
中检查时得到正确的索赔子在 Application Insights 中检查来自 UserJourneyRecorder 的日志文件时,错误消息被发现并追溯到我们的应用程序。
在策略文件中,错误似乎源自声明转换器 CreateSubjectClaimFromAlternativeSecurityId
<ClaimsTransformation Id="CreateSubjectClaimFromAlternativeSecurityId" TransformationMethod="CreateStringClaim">
<InputParameters>
<InputParameter Id="value" DataType="string" Value="Not supported currently. Use oid claim." />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sub" TransformationClaimType="createdClaim" />
</OutputClaims>
</ClaimsTransformation>
我认为 Azure AD B2C 应该在此处抛出异常而不是在单个声明中给出错误消息?
如果您关注了“Azure Active Directory B2C: Add LinkedIn as an identity provider by using custom policies”一文,那么您可以从 "LinkedIn-OAUTH" 技术资料中删除 <OutputClaimsTransformation />:
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<!-- REMOVE THE FOLLOWING LINE -->
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
如果您使用 the custom policy starter packs, then the "sub" claim should be set to the object identifier for the user object in the relying party policy file 之一:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>