我正在尝试比较 2 项声明(一项来自 id_token_hint,一项来自 AD B2C)。我的要求是抛出两个不匹配的错误页面并重定向到登录页面。
同样,我添加了以下步骤:
添加了 ClaimType(用于比较的布尔值)
<ClaimType Id="agencyClaimMatch">
<DisplayName>Verify if input Agency and agency in AD B2C match</DisplayName>
<DataType>boolean</DataType>
<UserHelpText>Verify if input Agency and agency in AD B2C match</UserHelpText>
</ClaimType>
创建一个ClaimTransformation(基于post来比较2个声明(来自AD B2C的extension_agency和来自id_token_hint的输入声明的agency)
<ClaimsTransformation Id="checkSameAgency" TransformationMethod="CompareClaims">
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_agency" TransformationClaimType="inputClaim1"/>
<InputClaim ClaimTypeReferenceId="agency" TransformationClaimType="inputClaim2"/>
</InputClaims>
<InputParameters>
<InputParameter Id="operator" DataType="string" Value="EQUAL"/>
<InputParameter Id="ignoreCase" DataType="string" Value="true"/>
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="agencyClaimMatch" TransformationClaimType="outputClaim"/>
</OutputClaims>
3.添加了一个技术配置文件来调用转换(我期望 AgencyClaimMatch 布尔值根据转换获得 true 或 false 值,如果 false 机器人不匹配,则需要抛出错误页面,否则允许访问)
<TechnicalProfile Id="CheckAgencyMatch">
<DisplayName>Check Agency Match</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="agency" Required="true" />
<InputClaim ClaimTypeReferenceId="extension_agency" Required="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="agency"/>
<OutputClaim ClaimTypeReferenceId="extension_agency" />
<OutputClaim ClaimTypeReferenceId="agencyClaimMatch"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="checkSameAgency"/>
</OutputClaimsTransformations>
</TechnicalProfile>
在 UserJourney 中,我添加了一个 ClaimExchange 来获取 checkSameAgency 的值。
<!--Verify claims match and get the boolean value-->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="CheckAgencyMatch" TechnicalProfileReferenceId="CheckAgencyMatch"/>
</ClaimsExchanges>
</OrchestrationStep>
如果布尔输出 checkSameAgency 不是“True”,即两个机构不匹配,则抛出错误,否则移至下一步以发行 jwt 令牌。
<!-- Check if agencID Match-->
<OrchestrationStep Order="7" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>agencyClaimMatch</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SelfAssertedAgencyNotMatched" TechnicalProfileReferenceId="SelfAssertedAgencyNotMatched" />
</ClaimsExchanges>
</OrchestrationStep>
但是我收到错误“由于发生内部服务器错误,无法显示该页面。”即使代理机构匹配或不匹配。
<TechnicalProfile Id="CheckAgencyMatch">
<DisplayName>Check Agency Match</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
SelfAssertedAttributeProvider 仅用于显示屏幕,但您仅比较声明。应该是
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
参考这个。