Azure ad b2c 无法检索strongAuthenticationEmailAddress
我无法存储或检索用于验证pwd重置的验证电子邮件是否与安装时最初输入的相同所需的strongAuthenticationEmailAddress 在注册过程中,我的AAD UserWriteUsingUserId TP包括写入电子邮件地址(注册包括电子邮件验证):Azure ad b2c 无法检索strongAuthenticationEmailAddress,azure-ad-b2c,Azure Ad B2c,我无法存储或检索用于验证pwd重置的验证电子邮件是否与安装时最初输入的相同所需的strongAuthenticationEmailAddress 在注册过程中,我的AAD UserWriteUsingUserId TP包括写入电子邮件地址(注册包括电子邮件验证): 写 真的 我试图稍后在我的AAD UserReadUsingUserId中检索它,该ID在作为pwd重置的一部分调用的验证步骤中调用: <TechnicalProfile Id="AAD-UserReadUs
写
真的
我试图稍后在我的AAD UserReadUsingUserId中检索它,该ID在作为pwd重置的一部分调用的验证步骤中调用:
<TechnicalProfile Id="AAD-UserReadUsingUserId">
<Metadata>
<Item Key="Operation">Read</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signinName" PartnerClaimType="signInNames.userName" Required="true" />
</InputClaims>
<OutputClaims>
<!-- Required claims -->
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
<!-- Optional claims -->
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="otherMails" />
<OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
<OutputClaim ClaimTypeReferenceId="accountEnabled" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="AssertAccountEnabledIsTrue" />
<!--OutputClaimsTransformation ReferenceId="AssertEmailAndStrongAuthenticationEmailAddressAreEqual" /-->
</OutputClaimsTransformations>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
阅读
真的
找不到提供的用户ID的帐户。
假的
但是,索赔集合不包括strongAuthenticationEmailAddress,可能是因为它为空。(如果我对比较两个电子邮件地址的断言进行注释,我会在旅程结束时发行的代币中获得集合)。我做错了什么
更新的TPs(从PwdReset的步骤1调用):
使用用户id和地址重置密码
IP地址
api.localaccountpasswordreset
用户身份验证电子邮件和提供的电子邮件地址不匹配。
假的
阅读
真的
找不到提供的用户ID的帐户。
假的
RP(电子邮件和strongAuthenticationEmailAddress都会导致策略加载错误:
<RelyingParty>
<DefaultUserJourney ReferenceId="PasswordReset" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
<OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />
<OutputClaim ClaimTypeReferenceId="email" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
保单简介
在AAD UserReadUsingUserId技术配置文件中,您正试图读取用户对象的电子邮件属性(而非strongAuthenticationEmailAddress属性),以进行strongAuthenticationEmailAddress声明 必须删除
OutputClaim
元素的PartnerClaimType
属性:
谢谢Chris。它仍然不适用于我。有没有办法查看strongAuthenticationEmailAddress是否被保留?我修改了我的PwdRest策略如下:谢谢Chris。它仍然不适用于我。有没有办法查看strongAuthenticationEmailAddress(SAEA)是否被保留是否持久化?我修改了PwdRest策略,将该声明包含在最终的JWT令牌中。该策略使用LocalAccountDiscoveryYusingUserId作为第一步。该TP依次将SEAE作为OutputClaim。它调用的验证TP(AAD UserReadUsingUserId)也包含该输出声明(在任何情况下都没有任何PartnerClaim引用)。现在加载我的PwdRest策略失败,错误为SAEA是输出声明,但在旅程的任何步骤中它都不是输出声明。您好@Marc。您能为上述问题添加不同TPs的最新mods吗?Chris,我在原始问题中添加了这些。
<TechnicalProfile Id="LocalAccountDiscoveryUsingUserId">
<DisplayName>Reset password using user id and address</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="IpAddressClaimReferenceId">IpAddress</Item>
<Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
<Item Key="UserMessageIfClaimsTransformationStringsAreNotEqual">User authentication email and provided email address do not match.</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<IncludeInSso>false</IncludeInSso>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signinName" Required="true" />
<!--OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" /-->
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
<OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingUserId" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
<TechnicalProfile Id="AAD-UserReadUsingUserId">
<Metadata>
<Item Key="Operation">Read</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signinName" PartnerClaimType="signInNames.userName" Required="true" />
</InputClaims>
<OutputClaims>
<!-- Required claims -->
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
<OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
<!-- Optional claims -->
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="otherMails" />
<OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />
<OutputClaim ClaimTypeReferenceId="accountEnabled" />
<OutputClaim ClaimTypeReferenceId="email" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="AssertAccountEnabledIsTrue" />
</OutputClaimsTransformations>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
<RelyingParty>
<DefaultUserJourney ReferenceId="PasswordReset" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
<OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />
<OutputClaim ClaimTypeReferenceId="email" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>