ADB2C策略在ValidationTechnicalProfile上失败。

huangapple go评论57阅读模式
英文:

ADB2C policies fails on ValidationTechnicalProfile

问题

在我的ValidationTechnicalProfile中,我遇到了一个问题:

<ValidationTechnicalProfile ReferenceId="REST-acquireaccesstoken"/>

如果我从ValidationTechnicalProfiles中删除这个部分,登录就可以正常工作,但是如果保留这个ValidationTechnicalProfile,登录会失败,出现以下错误:

"Key": "Exception",
"Value": {
  "Kind": "Handled",
  "HResult": "80131500",
  "Message": "Invalid username or password.",
  "Data": {
    "IsPolicySpecificError": false
  }
}

同样的技术配置在OrchestrationStep中调用时可以正常工作。AppInsight日志也没有提供帮助,我只能看到上述错误。以下是TechnicalProfile的配置:

<TechnicalProfile Id="REST-AcquireAccessToken">
  <DisplayName></DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ServiceUrl">https://login.microsoftonline.com/xxxxxxxxxx/oauth2/v2.0/token</Item>
    <Item Key="AuthenticationType">Basic</Item>
    <Item Key="SendClaimsIn">Form</Item>
    <Item Key="AllowInsecureAuthInProduction">true</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_ClientId" />
    <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Secret" />
  </CryptographicKeys>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" />
    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="api://xxxxxxxx/.default" AlwaysUseDefaultValue="true" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
  </OutputClaims>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

请帮助解决这个问题。

英文:

I am facing an issue, in my ValidationTechnicalProfile,

<ValidationTechnicalProfile ReferenceId="REST-acquireaccesstoken"/>

if I remove this from ValidationTechnicalProfiles, login works, but with this ValidationTechnicalProfile it fails with:

"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Invalid username or password.",
"Data": {
"IsPolicySpecificError": false
}
}

This same Technical profile works fine if I call it in OrchestrationStep. The appinsight logs are not help as well, all I see is above error. Here is the TechnicalProfile

<TechnicalProfile Id="REST-AcquireAccessToken">
          <DisplayName></DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="ServiceUrl">https://login.microsoftonline.com/xxxxxxxxxx/oauth2/v2.0/token</Item>
            <Item Key="AuthenticationType">Basic</Item>
            <Item Key="SendClaimsIn">Form</Item>
            <Item Key="AllowInsecureAuthInProduction">true</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_ClientId" />
            <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Secret" />
          </CryptographicKeys>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" />
            <InputClaim ClaimTypeReferenceId="scope" DefaultValue="api://xxxxxxxx/.default" AlwaysUseDefaultValue="true" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
          </OutputClaims>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>

Please help

答案1

得分: 0

以下是您要翻译的内容:

"grant_type" 和 "scope" 声明在 REST-AcquireAccessToken 和 login-NonInteractive 技术配置文件中都有使用。我认为您在 REST-AcquireAccessToken 技术配置文件中使用的值正在覆盖 login-NonInteractive 中的默认值。

在 REST-AcquireAccessToken 技术配置文件中,使用不同名称的声明以及正确的 PartnerClaimType。

示例:

<!-- ClaimsSchema -->

<ClaimType Id="IntApigrant_type">
    <DisplayName>授权类型</DisplayName>
    <DataType>string</DataType>
</ClaimType>

<ClaimType Id="IntApiscope">
    <DisplayName>范围</DisplayName>
    <DataType>string</DataType>
</ClaimType>

<!-- REST-AcquireAccessToken -->

<InputClaims>
    <InputClaim ClaimTypeReferenceId="IntApigrant_type" PartnerClaimType="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" />
    <InputClaim ClaimTypeReferenceId="IntApiscope" PartnerClaimType="scope" DefaultValue="{Settings:IntermediateApiScope}" AlwaysUseDefaultValue="true" />
</InputClaims>

或者您可以在 login-NonInteractive 配置文件中为这两个声明添加 AlwaysUseDefaultValue="true"。

英文:

The grant_type and scope claims are used in both REST-AcquireAccessToken and login-NonInteractive technical profiles. I believe the values that you used in REST-AcquireAccessToken technical profile is overriding the default values in login-NonInteractive.

Use claims with different names along with proper PartnerClaimType in REST-AcquireAccessToken technical profile.

example:

&lt;!-- ClaimsSchema --&gt;

&lt;ClaimType Id=&quot;IntApigrant_type&quot;&gt;
    &lt;DisplayName&gt;Grant type&lt;/DisplayName&gt;
    &lt;DataType&gt;string&lt;/DataType&gt;
&lt;/ClaimType&gt;

&lt;ClaimType Id=&quot;IntApiscope&quot;&gt;
    &lt;DisplayName&gt;scope&lt;/DisplayName&gt;
    &lt;DataType&gt;string&lt;/DataType&gt;
&lt;/ClaimType&gt;

&lt;!-- REST-AcquireAccessToken --&gt;

&lt;InputClaims&gt;
    &lt;InputClaim ClaimTypeReferenceId=&quot;IntApigrant_type&quot; PartnerClaimType=&quot;grant_type&quot; DefaultValue=&quot;client_credentials&quot; AlwaysUseDefaultValue=&quot;true&quot; /&gt;
    &lt;InputClaim ClaimTypeReferenceId=&quot;IntApiscope&quot; PartnerClaimType=&quot;scope&quot; DefaultValue=&quot;{Settings:IntermediateApiScope}&quot; AlwaysUseDefaultValue=&quot;true&quot; /&gt;
&lt;/InputClaims&gt;

Or you can put AlwaysUseDefaultValue="true" in login-NonInteractive for those two claims.

huangapple
  • 本文由 发表于 2023年6月8日 05:49:37
  • 转载请务必保留本文链接:https://go.coder-hub.com/76427310.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定