前言
继续使用Azure B2C进行工作的周期。在本文中,我将讨论最困难和最不明显的点,即身份体验框架。主要目标是为那些根本没有相关知识的人整理一张照片,并帮助他们建立一些基本功能。链接到相关文章基本设定
在开始基本设置之前,我想告诉您加载新规则的过程是如何发生的:- 转到身份体验框架
- 点击发送用户政策
- 选择一个文件(不要忘记单击“覆盖自定义策略,如果已经存在”)
- 我们发送
实际上,自上次以来,没有任何变化,但是:如果更改文件TrustFrameworkExtension.xml或TrustFrameworkBase.xml-请定期下载引用它们的文件。
有时,当您对这些文件之一进行更改时,您进行测试时,碰巧您的更改没有出现。这是由于
您更改了基本文件中的某些内容,以便在验证过程中子文件将导致错误。
在上一篇文章中,我们解决了添加以下文件这一事实:a.TrustFrameworkBase.xml
b.TrustFrameworkExtensions.xml
c.SignUpOrSignin。XML
d.ProfileEdit。XML
e.PasswordReset。XML格式
现在,我想详细介绍它们中的每一个。TrustFrameworkBase.xml此文件包含基本设置。实际上,这是基础知识的基础,但是在教程中,他们大多说“最好不要触摸此文件”。这在一定程度上是正确的,但是有一些要点尚未讨论:- 是说要更改任何教程TrustFrameworkExtensions.xml基本上重写从规则TrustFrameworkBase.xml
- 在某些情况下,更方便地更改TrustFrameworkBase.xml中的某些内容。
- 如果您在其他文件中找到了不在这些文件中的对象的链接,则该链接在TrustFrameworkBase.xml中为100%,您可以将其打开并查看
根据我的经验,我会说-我仅更改了此文件中的两件事(本地化并删除了一个字段)。TrustFrameworkExtension.xml使用此文件,您将花费很多时间。实际上,这是设置的主文件。教程中经常提到他。注册或登录。XML,ProfileEdit。XML,PasswordReset。XML这些文件是叶页。您可能想要添加您的。他们的更改量最少。现在让我们谈谈文件结构。所有文件都具有类似的结构,因此我将在TrustFrameworkExtension.xml文件的基础上对其进行描述。该文件分为几个主要块<TrustFrameworkPolicy>
<BasePolicy>
<TenantId>customtenant.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>
</BasePolicy>
<BuildingBlocks>
</BuildingBlocks>
<ClaimsProviders>
</ClaimsProviders>
<UserJourneys>
</UserJourneys>
</TrustFrameworkPolicy>
现在分别讨论每个块。建筑模块
在此块中,我们添加了可以在以后的工作中使用的“工具”。ClaimsSchema元素ClaimsSchema确定可以在策略中引用的语句类型。 <BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="picture">
<DisplayName>Picture</DisplayName>
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="country">
<DisplayName>Country</DisplayName>
<DataType>string</DataType>
<UserInputType>DropdownSingleSelect</UserInputType>
<Restriction>
<Enumeration Text="Russia" Value="russia" SelectByDefault="false" />
<Enumeration Text="Other" Value="other" SelectByDefault="false" />
</Restriction>
</ClaimType>
...
</ClaimsSchema>
谓词谓词和谓词验证元素允许进行验证,以确保仅将正确构成的数据输入到Azure Active Directory B2C客户端(Azure AD B2C)中。 <Predicates>
<Predicate Id="LengthRange" Method="IsLengthRange">
<UserHelpText>The password must be between 6 and 64 characters.</UserHelpText>
<Parameters>
<Parameter Id="Minimum">6</Parameter>
<Parameter Id="Maximum">64</Parameter>
</Parameters>
</Predicate>
<Predicate Id="Lowercase" Method="IncludesCharacters">
<UserHelpText>a lowercase letter</UserHelpText>
<Parameters>
<Parameter Id="CharacterSet">a-z</Parameter>
</Parameters>
</Predicate>
...
</Predicates>
PredicateValidations谓词定义检查是否符合语句类型的方法,而 PredicateValidations将一组谓词分组以形成与语句类型匹配的用户输入检查。 <PredicateValidations>
<PredicateValidation Id="CustomPassword">
<PredicateGroups>
<PredicateGroup Id="LengthGroup">
<PredicateReferences MatchAtLeast="1">
<PredicateReference Id="LengthRange" />
</PredicateReferences>
</PredicateGroup>
<PredicateGroup Id="CharacterClasses">
<UserHelpText>The password must have at least 1 of the following:</UserHelpText>
<PredicateReferences MatchAtLeast="2">
<PredicateReference Id="Lowercase" />
<PredicateReference Id="Uppercase" />
...
</PredicateReferences>
</PredicateGroup>
</PredicateGroups>
</PredicateValidation>
</PredicateValidations>
ClaimsTransformations元素 ClaimsTransformations包含一个断言转换函数列表,这些函数可以作为自定义策略的一部分以用户交互的方式使用。 <ClaimsTransformations>
<ClaimsTransformation Id="GenerateSendGridRequestBody" TransformationMethod="GenerateJson">
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" TransformationClaimType="personalizations.0.to.0.email" />
<InputClaim ClaimTypeReferenceId="otp" TransformationClaimType="personalizations.0.dynamic_template_data.otp" />
<InputClaim ClaimTypeReferenceId="email" TransformationClaimType="personalizations.0.dynamic_template_data.email" />
</InputClaims>
<InputParameters>
<InputParameter Id="template_id" DataType="string" Value="d-b0000000000000000000000000000000" />
<InputParameter Id="from.email" DataType="string" Value="custom@email.com" />
<InputParameter Id="personalizations.0.dynamic_template_data.subject" DataType="string" Value="Welcome to Habr!"/>
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sendGridReqBody" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
...
</ClaimsTransformations>
ContentDefinitions允许您为每个页面定义模板。 <ContentDefinitions>
<ContentDefinition Id="api.signuporsignin">
<LoadUri>https://azure.blob.core.windows.net/yourblobstorage/pagelayoutfile.html</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:1.2.0</DataUri>
</ContentDefinition>
...
</ContentDefinitions>
DisplayControlsDisplay控件是一个具有特殊功能的用户界面元素,并与Azure Active Directory B2C服务器服务(Azure AD B2C)进行交互 <DisplayControls>
<DisplayControl Id="emailVerificationControl" UserInterfaceControlType="VerificationControl">
<DisplayClaims>
<DisplayClaim ClaimTypeReferenceId="email" Required="true" />
<DisplayClaim ClaimTypeReferenceId="verificationCode" ControlClaimType="VerificationCode" Required="true" />
</DisplayClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" />
</OutputClaims>
<Actions>
<Action Id="SendCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="GenerateOtp" />
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="SendGrid" />
</ValidationClaimsExchange>
</Action>
...
</Actions>
</DisplayControl>
...
</DisplayControls>
</BuildingBlocks>
索赔提供者
在此块中,我们将创建页面本身或页面内容。在这里,我们将指示页面具有输入和输出数据的内容。ClaimsProvider将技术资料链接到索赔提供者。 <ClaimsProviders>
<ClaimsProvider>
<DisplayName>Self Asserted</DisplayName>
TechnicalProfiles
元素包含索赔提供者支持的一组技术概要。 <TechnicalProfiles>
<TechnicalProfile Id="SelfAsserted-Social">
<DisplayName>User ID signup</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="givenName" />
<InputClaim ClaimTypeReferenceId="surname" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="newUser" />
<OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="givenName" Required="true"/>
<OutputClaim ClaimTypeReferenceId="surname" Required="true"/>
<OutputClaim ClaimTypeReferenceId="country" Required="true"/>
</OutputClaims>
</TechnicalProfile>
</ClaimsProvider>
添加Facebook身份提供商的示例 <ClaimsProvider>
<DisplayName>Facebook</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Facebook-OAUTH">
<Metadata>
<Item Key="client_id">FACEBOOK_ID</Item>
<Item Key="scope">email public_profile</Item>
<Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email,picture</Item>
</Metadata>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="picture" PartnerClaimType="picture" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
TrustFrameworkBase.xml
<ClaimsProvider>
<Domain>facebook.com</Domain>
<DisplayName>Facebook</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Facebook-OAUTH">
<DisplayName>Facebook</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="ProviderName">facebook</Item>
<Item Key="authorization_endpoint">https://www.facebook.com/dialog/oauth</Item>
<Item Key="AccessTokenEndpoint">https://graph.facebook.com/oauth/access_token</Item>
<Item Key="HttpBinding">GET</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<Item Key="AccessTokenResponseFormat">json</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_FacebookSecret" />
</CryptographicKeys>
<InputClaims />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="first_name" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="last_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="facebook.com" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
用户旅程
该用户的UserJourneys表明明确的路径,通过该策略允许基于声明的应用提供所需的权利要求用户。在下面,我添加了一些简单的内容,其余的内容很容易在我将在下面添加的教程中找到。 <UserJourneys>
<UserJourney Id="SignUp">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange" ContentDefinitionReferenceId="api.localaccountsignup">
<ClaimsExchanges>
<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail-2" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
<UserJourney Id="PasswordReset">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
...
</UserJourneys>
ClaimsExchange交换示例ClaimsExchanges .
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="GoogleExchange" />
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
典型任务
由于上述原因,您将更容易理解以下教程。SignUpOrSignin.XML,ProfileEdit.XML,PasswordReset.XML
这些是您可以覆盖\添加BuildingBlocks的最终文件,我们在其中指示要添加到令牌的数据。 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="antekesd.onmicrosoft.com" PolicyId="B2C_1A_signup_signin" PublicPolicyUri="http://antekesd.onmicrosoft.com/B2C_1A_signup_signin">
<BasePolicy>
<TenantId>antekesd.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<BuildingBlocks>
<ContentDefinitions>
<ContentDefinition Id="api.signuporsignin">
<LoadUri>https://some.blob.core.windows.net/some/some.html</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:1.2.0</DataUri>
</ContentDefinition>
</ContentDefinitions>
</BuildingBlocks>
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email"/>
<OutputClaim ClaimTypeReferenceId="givenName" Required="true"/>
<OutputClaim ClaimTypeReferenceId="surname" Required="true"/>
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
<OutputClaim ClaimTypeReferenceId="picture" />
<OutputClaim ClaimTypeReferenceId="country" Required="true"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
</TrustFrameworkPolicy>
测试中
为了测试最新的更改,您需要:- 转到身份体验框架
- 选择要测试的策略。
- 点击“立即运行”
结论
因此,您将收到一份完全(或几乎)满足您/客户要求的授权表格。感谢您的关注!