Azure AD B2C 更改电子邮件和更新会话

huangapple go评论71阅读模式
英文:

Azure AD B2C change email and update session

问题

I've written an AAD B2C custom policy which allows the user to update their sign-in email.
有关如何在GitHub上执行此操作的示例(例如https://github.com/azure-ad-b2c/samples/tree/master/policies/change-sign-in-name)。
The policy works fine, but there is a problem. After the sign-in email has been changed and the user is returned to the application with updated "email" and "signInName" claims in the JWT, the AAD B2C session, for some reason, still holds the old sign-in email as the value of the "signInName" claim. I've tested this by using jwt.ms as a test application to see the contents of the JWT.

First I changed the sign-in email by running the change email custom policy.
首先,通过运行更改电子邮件自定义策略来更改登录电子邮件。

JWT returned by the change email policy:

{
"alg": "RS256",
"kid": "...",
"typ": "JWT"
}.{
"ver": "1.0",
"iss": ".../v2.0/",
"sub": "...",
"aud": "...",
"exp": 1684332014,
"acr": "b2c_1a_change-email",
"nonce": "defaultNonce",
"iat": 1684328414,
"auth_time": 1684328414,
"email": "newSignInName@email.com",
"signInName": "newSignInName@email.com",
"tid": "...",
"nbf": 1684328414
}.[Signature]

然后,通过运行具有已登录活动会话的注册/登录策略(令牌会立即显示)。

JWT returned by the sign-up/sign-in policy after SSO:

{
"alg": "RS256",
"kid": "...",
"typ": "JWT"
}.{
"ver": "1.0",
"iss": ".../v2.0/",
"sub": "...",
"aud": "...",
"exp": 1684332014,
"acr": "b2c_1a_signup-signin-sspr",
"nonce": "defaultNonce",
"iat": 1684328414,
"auth_time": 1684328414,
"signInName": "oldSignInName@email.com",
"tid": "...",
"nbf": 1684328414
}.[Signature]

As you can see, I have also returned the "signInName" claim at the end of the change email policy to make sure that it had been updated, however this doesn't get reflected in the session.
如您所见,我还在更改电子邮件策略的末尾返回了“signInName”声明,以确保已更新,但这并未在会话中反映出来。
This leads to strange behavior if the user calls another custom policy from the same session after having changed the sign-in email. For example, any CIAM journey that would require an email verification would fail because the old email would be used instead of the new.

I would like to know whether it's possible to update the session after having modified the sign-in email. This problem goes away if the user signs out and signs back in again with the new email address.
我想知道是否有可能在修改登录电子邮件后更新会话。如果用户退出并使用新的电子邮件地址重新登录,则此问题将消失。
I hope this makes sense.
希望这能理解。

英文:

I've written an AAD B2C custom policy which allows the user to update their sign-in email.
There are examples of how to do this on GitHub (e.g. https://github.com/azure-ad-b2c/samples/tree/master/policies/change-sign-in-name).
The policy works fine, but there is a problem. After the sign-in email has been changed and the user is returned to the application with updated "email" and "signInName" claims in the JWT, the AAD B2C session, for some reason, still holds the old sign-in email as the value of the "signInName" claim. I've tested this by using jwt.ms as a test application to see the contents of the JWT.

First I changed the sign-in email by running the change email custom policy.

JWT returned by the change email policy:

{
  "alg": "RS256",
  "kid": "...",
  "typ": "JWT"
}.{
  "ver": "1.0",
  "iss": ".../v2.0/",
  "sub": "...",
  "aud": "...",
  "exp": 1684332014,
  "acr": "b2c_1a_change-email",
  "nonce": "defaultNonce",
  "iat": 1684328414,
  "auth_time": 1684328414,
  "email": "newSignInName@email.com",
  "signInName": "newSignInName@email.com",
  "tid": "...",
  "nbf": 1684328414
}.[Signature]

Then I ran the sign-up/sign-in policy having a signed-in active session (the token is displayed immediately).

JWT returned by the sign-up/sign-in policy after SSO:

{
  "alg": "RS256",
  "kid": "...",
  "typ": "JWT"
}.{
  "ver": "1.0",
  "iss": ".../v2.0/",
  "sub": "...",
  "aud": "...",
  "exp": 1684332014,
  "acr": "b2c_1a_signup-signin-sspr",
  "nonce": "defaultNonce",
  "iat": 1684328414,
  "auth_time": 1684328414,
  "signInName": "oldSignInName@email.com",
  "tid": "...",
  "nbf": 1684328414
}.[Signature]

As you can see, I have also returned the "signInName" claim at the end of the change email policy to make sure that it had been updated, however this doesn't get reflected in the session.
This leads to strange behaviour if the user calls another custom policy from the same session after having changed the sign-in email. For example, any CIAM journey that would require an email verification would fail, because the old email would be used instead of the new.

I would like to know whether it's possible to update the session after having modified the sign-in email. This problem goes away if the user signs out and signs back in again with the new email address.
I hope this makes sense.

答案1

得分: 1

"Claims that are part of the session cookie can’t be updated."

So, you just cannot update signInName because it is the part of the session.
I suppose you should sign-out a user after he changes an email.

英文:

Based on documentation:

"Claims that are part of the session cookie can’t be updated."

So, you just cannot update signInName because it is the part of the session.
I suppose you should sign-out a user after he changes an email.

huangapple
  • 本文由 发表于 2023年5月17日 21:37:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/76272735.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定