Fatal编程技术网
  • azure-ad-b2c/
  • Azure ad b2c 无法检索strongAuthenticationEmailAddress

Azure ad b2c 无法检索strongAuthenticationEmailAddress

azure-ad-b2c

Azure ad b2c 无法检索strongAuthenticationEmailAddress,azure-ad-b2c,Azure Ad B2c,我无法存储或检索用于验证pwd重置的验证电子邮件是否与安装时最初输入的相同所需的strongAuthenticationEmailAddress 在注册过程中,我的AAD UserWriteUsingUserId TP包括写入电子邮件地址(注册包括电子邮件验证): 写 真的 我试图稍后在我的AAD UserReadUsingUserId中检索它,该ID在作为pwd重置的一部分调用的验证步骤中调用: <TechnicalProfile Id="AAD-UserReadUs

我无法存储或检索用于验证pwd重置的验证电子邮件是否与安装时最初输入的相同所需的strongAuthenticationEmailAddress

在注册过程中,我的AAD UserWriteUsingUserId TP包括写入电子邮件地址(注册包括电子邮件验证):


写
真的
我试图稍后在我的AAD UserReadUsingUserId中检索它,该ID在作为pwd重置的一部分调用的验证步骤中调用:

        <TechnicalProfile Id="AAD-UserReadUsingUserId">
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="signinName" PartnerClaimType="signInNames.userName" Required="true" />
      </InputClaims>
      <OutputClaims>
        <!-- Required claims -->
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
        <!-- Optional claims -->
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="otherMails" />
        <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" PartnerClaimType="email" />
        <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />          
        <OutputClaim ClaimTypeReferenceId="accountEnabled" />           
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="AssertAccountEnabledIsTrue" />
        <!--OutputClaimsTransformation ReferenceId="AssertEmailAndStrongAuthenticationEmailAddressAreEqual" /-->                        
      </OutputClaimsTransformations>          
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>


阅读
真的
找不到提供的用户ID的帐户。
假的
但是,索赔集合不包括strongAuthenticationEmailAddress,可能是因为它为空。(如果我对比较两个电子邮件地址的断言进行注释,我会在旅程结束时发行的代币中获得集合)。我做错了什么

更新的TPs(从PwdReset的步骤1调用):


使用用户id和地址重置密码
IP地址
api.localaccountpasswordreset
用户身份验证电子邮件和提供的电子邮件地址不匹配。
假的
阅读
真的
找不到提供的用户ID的帐户。
假的
RP(电子邮件和strongAuthenticationEmailAddress都会导致策略加载错误:

  <RelyingParty>
<DefaultUserJourney ReferenceId="PasswordReset" />
<TechnicalProfile Id="PolicyProfile">
  <DisplayName>PolicyProfile</DisplayName>
  <Protocol Name="OpenIdConnect" />
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="email" />
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
    <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
    <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />
    <OutputClaim ClaimTypeReferenceId="email" />
  </OutputClaims>
  <SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>


保单简介

AAD UserReadUsingUserId技术配置文件中,您正试图读取用户对象的电子邮件属性(而非strongAuthenticationEmailAddress属性),以进行strongAuthenticationEmailAddress声明

必须删除
OutputClaim
元素的
PartnerClaimType
属性:
谢谢Chris。它仍然不适用于我。有没有办法查看strongAuthenticationEmailAddress是否被保留?我修改了我的PwdRest策略如下:谢谢Chris。它仍然不适用于我。有没有办法查看strongAuthenticationEmailAddress(SAEA)是否被保留是否持久化?我修改了PwdRest策略,将该声明包含在最终的JWT令牌中。该策略使用LocalAccountDiscoveryYusingUserId作为第一步。该TP依次将SEAE作为OutputClaim。它调用的验证TP(AAD UserReadUsingUserId)也包含该输出声明(在任何情况下都没有任何PartnerClaim引用)。现在加载我的PwdRest策略失败,错误为SAEA是输出声明,但在旅程的任何步骤中它都不是输出声明。您好@Marc。您能为上述问题添加不同TPs的最新mods吗?Chris,我在原始问题中添加了这些。 
        <TechnicalProfile Id="LocalAccountDiscoveryUsingUserId">
      <DisplayName>Reset password using user id and address</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
        <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
        <Item Key="UserMessageIfClaimsTransformationStringsAreNotEqual">User authentication email and provided email address do not match.</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <IncludeInSso>false</IncludeInSso>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="signinName" Required="true" />
        <!--OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" /-->
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" />
        <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
      </OutputClaims>
      <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingUserId" />
      </ValidationTechnicalProfiles>
    </TechnicalProfile>

    <TechnicalProfile Id="AAD-UserReadUsingUserId">
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="signinName" PartnerClaimType="signInNames.userName" Required="true" />
      </InputClaims>
      <OutputClaims>
        <!-- Required claims -->
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
        <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
        <!-- Optional claims -->
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="otherMails" />
        <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />
        <OutputClaim ClaimTypeReferenceId="accountEnabled" />
        <OutputClaim ClaimTypeReferenceId="email" />            
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="AssertAccountEnabledIsTrue" />
      </OutputClaimsTransformations>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>

  <RelyingParty>
<DefaultUserJourney ReferenceId="PasswordReset" />
<TechnicalProfile Id="PolicyProfile">
  <DisplayName>PolicyProfile</DisplayName>
  <Protocol Name="OpenIdConnect" />
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="email" />
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
    <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
    <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />
    <OutputClaim ClaimTypeReferenceId="email" />
  </OutputClaims>
  <SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>