Azure AD B2C通过Graph API邀请的用户如何在接受邀请后进行注册?

huangapple go评论71阅读模式
英文:

How does Azure AD B2C users invited via Graph API can sign up after accepting the invite?

问题

I am setting up Azure Active Directory B2C for my new application. According to the requirements, I need to send an invite for the users to sign up and only the invited users should be able to sign up. There doesn't seem to be an easy way to do this.

Currently, I send an invite to the user with Azure Graph SDK[1]. This actually creates the user in the AD and sends an email with the invitation redeem URL to the user. Once the user clicks that, the invitation is redeemed and the user is sent to a redirect URL.

But the invitation is redeemed via an OTP, and the user does not get prompted to actually sign up. It looks like I have to redirect them to the public sign-up page again to sign up, which does not make any sense.

My requirement is for the (only) invited user to get directed to the sign-up page and complete the registration, which does not happen. How can I achieve this, and what is the point of accepting the invite and redeeming the invitation if it does not sign the user up? Would be important if we can do this without a custom policy because this is a trivial use case.

Additional question: Once the invitation is redeemed, there doesn't seem to be a way to let my app know the invitation is redeemed. I was assuming the redirect URI would have some parameters that I can use to identify the user, which I can use to update my app. But it doesn't seem to have any parameters as well.

[1] https://learn.microsoft.com/en-us/graph/api/invitation-post

英文:

I am setting up Azure Active Directory B2C for my new application. According to the requirements, I need to send an invite for the users to sign up and only the invited users should be able to sign up. There doesn't seem to be an easy way to do this.

Currently, I send an invite to the user with Azure Graph SDK[1]. This actually creates the user in the AD and sends an email with the invitation redeem url to the user. Once the user clicks that, invitation is redeemed and user is sent to a redirect URL.

But the invitation is redeemed via a OTP and the user does not get prompt to actually sign up. It looks like I have to redirect them to public sign up page again to sign up which does not make any sense.

My requirement is for the (only) invited user to get directed to the sign up page and complete the registration which does not happen. How can I achieve this and what is the point of accepting the invite and redeeming the invitation if it does not sign the user up? Would be important if we can do this without a custom policy because this is a trivial use case

Additional question: Once the invitation is redeemed, there doesnt seem to be a way to let my app know the invitation is redeemed. I was assuming the redirect uri would have some parameters which I can use to identify the user which I can use to update my app. But it doesn't seem to have any parameters as well.

[1] https://learn.microsoft.com/en-us/graph/api/invitation-post

答案1

得分: 1

Short answer: 无法使用邀请 API 用于 B2C 用户。

Long answer:

邀请 API 创建的是 B2B 用户,而不是 B2C 用户。
由于 Azure AD B2C 租户也是 Azure AD 租户,因此具备了这一功能。
它旨在用于邀请管理员加入租户,以便他们可以管理用户等。
但如果您需要一个可以使用 B2C 用户流程/自定义策略登录您的应用程序的用户,则无法使用邀请 API。

您需要自定义 B2C 流程以验证邀请码(在 URL 中),然后才能接受注册。
您还可以使用签名的 JWT 来输入声明到自定义策略中。
您还需要自行发送电子邮件。

我只在自定义策略中实现过类似的功能,所以我不确定是否可以在常规用户流程中实现。

使用 B2C 自定义策略的示例:https://github.com/azure-ad-b2c/samples/tree/master/policies/invite-via-email

英文:

Short answer: you can't use the invitation API for B2C users.

Long answer:

The invitation API creates a B2B user, not a B2C user.
Since Azure AD B2C tenants are also Azure AD tenants, it has this feature.
It is meant to be used to invite administrators into the tenant so they can manage users etc.
But if you need a user that can sign in to your apps with B2C user flows/custom policies, you can't use the invitation API.

You'll need to customize the B2C flows to validate an invitation code (in the URL) and only then accept the sign up.
You can also use a signed JWT to input claims into a custom policy.
You also need to send the email yourself.

I've only implemented something like this with custom policies so I'm not sure if it'd be possible with regular user flows.

Example using B2C custom policies: https://github.com/azure-ad-b2c/samples/tree/master/policies/invite-via-email

huangapple
  • 本文由 发表于 2023年5月22日 21:22:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/76306656.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定