英文:
ADB2C policies fails on ValidationTechnicalProfile
问题
在我的ValidationTechnicalProfile中,我遇到了一个问题:
<ValidationTechnicalProfile ReferenceId="REST-acquireaccesstoken"/>
如果我从ValidationTechnicalProfiles中删除这个部分,登录就可以正常工作,但是如果保留这个ValidationTechnicalProfile,登录会失败,出现以下错误:
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Invalid username or password.",
"Data": {
"IsPolicySpecificError": false
}
}
同样的技术配置在OrchestrationStep中调用时可以正常工作。AppInsight日志也没有提供帮助,我只能看到上述错误。以下是TechnicalProfile的配置:
<TechnicalProfile Id="REST-AcquireAccessToken">
<DisplayName></DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://login.microsoftonline.com/xxxxxxxxxx/oauth2/v2.0/token</Item>
<Item Key="AuthenticationType">Basic</Item>
<Item Key="SendClaimsIn">Form</Item>
<Item Key="AllowInsecureAuthInProduction">true</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_ClientId" />
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Secret" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="api://xxxxxxxx/.default" AlwaysUseDefaultValue="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
请帮助解决这个问题。
英文:
I am facing an issue, in my ValidationTechnicalProfile,
<ValidationTechnicalProfile ReferenceId="REST-acquireaccesstoken"/>
if I remove this from ValidationTechnicalProfiles, login works, but with this ValidationTechnicalProfile it fails with:
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Invalid username or password.",
"Data": {
"IsPolicySpecificError": false
}
}
This same Technical profile works fine if I call it in OrchestrationStep. The appinsight logs are not help as well, all I see is above error. Here is the TechnicalProfile
<TechnicalProfile Id="REST-AcquireAccessToken">
<DisplayName></DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://login.microsoftonline.com/xxxxxxxxxx/oauth2/v2.0/token</Item>
<Item Key="AuthenticationType">Basic</Item>
<Item Key="SendClaimsIn">Form</Item>
<Item Key="AllowInsecureAuthInProduction">true</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_ClientId" />
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Secret" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="api://xxxxxxxx/.default" AlwaysUseDefaultValue="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
Please help
答案1
得分: 0
以下是您要翻译的内容:
"grant_type" 和 "scope" 声明在 REST-AcquireAccessToken 和 login-NonInteractive 技术配置文件中都有使用。我认为您在 REST-AcquireAccessToken 技术配置文件中使用的值正在覆盖 login-NonInteractive 中的默认值。
在 REST-AcquireAccessToken 技术配置文件中,使用不同名称的声明以及正确的 PartnerClaimType。
示例:
<!-- ClaimsSchema -->
<ClaimType Id="IntApigrant_type">
<DisplayName>授权类型</DisplayName>
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="IntApiscope">
<DisplayName>范围</DisplayName>
<DataType>string</DataType>
</ClaimType>
<!-- REST-AcquireAccessToken -->
<InputClaims>
<InputClaim ClaimTypeReferenceId="IntApigrant_type" PartnerClaimType="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" />
<InputClaim ClaimTypeReferenceId="IntApiscope" PartnerClaimType="scope" DefaultValue="{Settings:IntermediateApiScope}" AlwaysUseDefaultValue="true" />
</InputClaims>
或者您可以在 login-NonInteractive 配置文件中为这两个声明添加 AlwaysUseDefaultValue="true"。
英文:
The grant_type and scope claims are used in both REST-AcquireAccessToken and login-NonInteractive technical profiles. I believe the values that you used in REST-AcquireAccessToken technical profile is overriding the default values in login-NonInteractive.
Use claims with different names along with proper PartnerClaimType in REST-AcquireAccessToken technical profile.
example:
<!-- ClaimsSchema -->
<ClaimType Id="IntApigrant_type">
<DisplayName>Grant type</DisplayName>
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="IntApiscope">
<DisplayName>scope</DisplayName>
<DataType>string</DataType>
</ClaimType>
<!-- REST-AcquireAccessToken -->
<InputClaims>
<InputClaim ClaimTypeReferenceId="IntApigrant_type" PartnerClaimType="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" />
<InputClaim ClaimTypeReferenceId="IntApiscope" PartnerClaimType="scope" DefaultValue="{Settings:IntermediateApiScope}" AlwaysUseDefaultValue="true" />
</InputClaims>
Or you can put AlwaysUseDefaultValue="true" in login-NonInteractive for those two claims.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论