AzureB2C - 自定义策略中的客户端凭据和查询参数

问题描述 投票:0回答:2

我尝试使用客户端凭据(即 client_id 和 client_secret)访问自定义策略(对于 Azure AD B2C)以获取自定义 JWT。我现在可以做到这一点(请参阅此处:OIDC-Connect 技术配置文件仅在自断言验证参考下工作(但不需要它不需要自断言配置文件))但是我不知道如何通过通过自定义策略识别的查询参数。

这是我的自定义策略:MyPolicy.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
    PolicySchemaVersion="0.3.0.0"
    TenantId="{tenant}.onmicrosoft.com"
    PolicyId="B2C_1A_MyPolicy"
    PublicPolicyUri="http://{tenant}.onmicrosoft.com/B2C_1A_MyPolicy"
    DeploymentMode="Development"
    UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights">

    <BasePolicy>
        <TenantId>{tenant}.onmicrosoft.com</TenantId>
        <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>
    </BasePolicy>

    <BuildingBlocks>
        <ClaimsSchema>

            <!-- JWT -->
            <ClaimType Id="value">
                <DataType>string</DataType>
            </ClaimType>

        </ClaimsSchema>
    </BuildingBlocks>

    <ClaimsProviders>
        <ClaimsProvider>
            <DisplayName></DisplayName>
            <TechnicalProfiles>
                <TechnicalProfile Id="SetQueryParams">
                    <DisplayName>Set the BrandId and other query params from the OIDC:ClientId field in the url params</DisplayName>
                    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
                    <Metadata>
                        <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
                    </Metadata>
                    <OutputClaims>
                        <OutputClaim ClaimTypeReferenceId="value" DefaultValue="{OAUTH-KV:value}" AlwaysUseDefaultValue="true" />
                    </OutputClaims>
                    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
                </TechnicalProfile>
            </TechnicalProfiles>
        </ClaimsProvider>
    </ClaimsProviders>

    <UserJourneys>
        <UserJourney Id="MyUserJourney">
            <OrchestrationSteps>
                <OrchestrationStep Order="1" Type="ClaimsExchange">
                    <ClaimsExchanges>
                        <ClaimsExchange Id="SetQueryParamsStep" TechnicalProfileReferenceId="SetQueryParams" />
                    </ClaimsExchanges>
                </OrchestrationStep>

                <!-- Issue JWT -->
                <OrchestrationStep Order="2" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
            </OrchestrationSteps>
        </UserJourney>
    </UserJourneys>

    <RelyingParty>
        <DefaultUserJourney ReferenceId="MyUserJourney" />
        <UserJourneyBehaviors>
            <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="623badc9-900b-44e3-bd44-bf00d97d9d93" DeveloperMode="true" ClientEnabled="true" ServerEnabled="true" TelemetryVersion="1.0.0" />
            <ScriptExecution>Allow</ScriptExecution>
        </UserJourneyBehaviors>
        <TechnicalProfile Id="PolicyProfile">
            <DisplayName>PolicyProfile</DisplayName>
            <Protocol Name="OpenIdConnect" />
            <OutputClaims>
                <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" AlwaysUseDefaultValue="true" DefaultValue="8186c7b3-adca-4c17-b318-939e9d8170b8" />
                <OutputClaim ClaimTypeReferenceId="value" />
            </OutputClaims>
            <SubjectNamingInfo ClaimType="sub" />
        </TechnicalProfile>
    </RelyingParty>
</TrustFrameworkPolicy>

我这样称呼它:

(x-www-form-urlencoded) https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/B2C_1A_MyPolicy/oauth2/v2.0/token?grant_type=client_credentials&client_id=&client_secret=&scope=https://{tenant}.onmicrosoft.com /api/.default

它按照我的预期执行自定义策略;它返回一个 JWT,并显示我在其中添加的带有硬编码默认值的字段(例如:RelyingParty 中的 DefaultValue="8186c7b3-adca-4c17-b318-939e9d8170b8")

如果我将 RelyingParty 更改为具有 

DefaultValue="{OAUTH-KV:value}"
,这会变得更有趣,如下所示:

    <RelyingParty>
        <DefaultUserJourney ReferenceId="MyUserJourney" />
        <UserJourneyBehaviors>
            <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="{Settings:AppInsightsKey}" DeveloperMode="true" ClientEnabled="true" ServerEnabled="true" TelemetryVersion="1.0.0" />
            <ScriptExecution>Allow</ScriptExecution>
        </UserJourneyBehaviors>
        <TechnicalProfile Id="PolicyProfile">
            <DisplayName>PolicyProfile</DisplayName>
            <Protocol Name="OpenIdConnect" />
            <OutputClaims>
                <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" AlwaysUseDefaultValue="true" DefaultValue="8186c7b3-adca-4c17-b318-939e9d8170b8" />
                <OutputClaim ClaimTypeReferenceId="value" DefaultValue="{OAUTH-KV:value}" AlwaysUseDefaultValue="true" />
            </OutputClaims>
            <SubjectNamingInfo ClaimType="sub" />
        </TechnicalProfile>
    </RelyingParty>

然后返回以下内容:

{
    "error": "invalid_grant",
    "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: 1c7b50fa-87bb-4588-8ec0-90e8ed3554be\r\nTimestamp: 2022-12-18 22:05:45Z\r\n"
}

我只想提供客户端凭据进行身份验证,并用我拥有的输入来补充它们;我想我一定是做了一些愚蠢的事情,因为这看起来应该是相当简单的。

azure-ad-b2c-custom-policy azure-ad-b2c aad-b2c
2个回答
1
投票

问题前半部分的政策看起来不错。 用 

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/B2C_1A_MyPolicy/oauth2/v2.0/token?grant_type=client_credentials&client_id=&client_secret=<client_secret>&scope=https://{tenant}.onmicrosoft.com/api/.default&value=foo

来称呼它
0
投票

您可以使用 id_token_hint 将输入传递给您的策略。这里有一篇很好的文章可供参考:pass-inputs-to-b2c-custom-policy

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.