英文:
ADB2C policies fails on ValidationTechnicalProfile
问题
在我的ValidationTechnicalProfile中,我遇到了一个问题:
<ValidationTechnicalProfile ReferenceId="REST-acquireaccesstoken"/>
如果我从ValidationTechnicalProfiles中删除这个部分,登录就可以正常工作,但是如果保留这个ValidationTechnicalProfile,登录会失败,出现以下错误:
"Key": "Exception","Value": {"Kind": "Handled","HResult": "80131500","Message": "Invalid username or password.","Data": {"IsPolicySpecificError": false}}
同样的技术配置在OrchestrationStep中调用时可以正常工作。AppInsight日志也没有提供帮助,我只能看到上述错误。以下是TechnicalProfile的配置:
<TechnicalProfile Id="REST-AcquireAccessToken"><DisplayName></DisplayName><Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /><Metadata><Item Key="ServiceUrl">https://login.microsoftonline.com/xxxxxxxxxx/oauth2/v2.0/token</Item><Item Key="AuthenticationType">Basic</Item><Item Key="SendClaimsIn">Form</Item><Item Key="AllowInsecureAuthInProduction">true</Item></Metadata><CryptographicKeys><Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_ClientId" /><Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Secret" /></CryptographicKeys><InputClaims><InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" /><InputClaim ClaimTypeReferenceId="scope" DefaultValue="api://xxxxxxxx/.default" AlwaysUseDefaultValue="true" /></InputClaims><OutputClaims><OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" /></OutputClaims><UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /></TechnicalProfile>
请帮助解决这个问题。
英文:
I am facing an issue, in my ValidationTechnicalProfile,
<ValidationTechnicalProfile ReferenceId="REST-acquireaccesstoken"/>
if I remove this from ValidationTechnicalProfiles, login works, but with this ValidationTechnicalProfile it fails with:
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Invalid username or password.",
"Data": {
"IsPolicySpecificError": false
}
}
This same Technical profile works fine if I call it in OrchestrationStep. The appinsight logs are not help as well, all I see is above error. Here is the TechnicalProfile
<TechnicalProfile Id="REST-AcquireAccessToken"><DisplayName></DisplayName><Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /><Metadata><Item Key="ServiceUrl">https://login.microsoftonline.com/xxxxxxxxxx/oauth2/v2.0/token</Item><Item Key="AuthenticationType">Basic</Item><Item Key="SendClaimsIn">Form</Item><Item Key="AllowInsecureAuthInProduction">true</Item></Metadata><CryptographicKeys><Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_ClientId" /><Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Secret" /></CryptographicKeys><InputClaims><InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" /><InputClaim ClaimTypeReferenceId="scope" DefaultValue="api://xxxxxxxx/.default" AlwaysUseDefaultValue="true" /></InputClaims><OutputClaims><OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" /></OutputClaims><UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /></TechnicalProfile>
Please help
答案1
得分: 0
以下是您要翻译的内容:
"grant_type" 和 "scope" 声明在 REST-AcquireAccessToken 和 login-NonInteractive 技术配置文件中都有使用。我认为您在 REST-AcquireAccessToken 技术配置文件中使用的值正在覆盖 login-NonInteractive 中的默认值。
在 REST-AcquireAccessToken 技术配置文件中,使用不同名称的声明以及正确的 PartnerClaimType。
示例:
<!-- ClaimsSchema --><ClaimType Id="IntApigrant_type"><DisplayName>授权类型</DisplayName><DataType>string</DataType></ClaimType><ClaimType Id="IntApiscope"><DisplayName>范围</DisplayName><DataType>string</DataType></ClaimType><!-- REST-AcquireAccessToken --><InputClaims><InputClaim ClaimTypeReferenceId="IntApigrant_type" PartnerClaimType="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" /><InputClaim ClaimTypeReferenceId="IntApiscope" PartnerClaimType="scope" DefaultValue="{Settings:IntermediateApiScope}" AlwaysUseDefaultValue="true" /></InputClaims>
或者您可以在 login-NonInteractive 配置文件中为这两个声明添加 AlwaysUseDefaultValue="true"。
英文:
The grant_type and scope claims are used in both REST-AcquireAccessToken and login-NonInteractive technical profiles. I believe the values that you used in REST-AcquireAccessToken technical profile is overriding the default values in login-NonInteractive.
Use claims with different names along with proper PartnerClaimType in REST-AcquireAccessToken technical profile.
example:
<!-- ClaimsSchema --><ClaimType Id="IntApigrant_type"><DisplayName>Grant type</DisplayName><DataType>string</DataType></ClaimType><ClaimType Id="IntApiscope"><DisplayName>scope</DisplayName><DataType>string</DataType></ClaimType><!-- REST-AcquireAccessToken --><InputClaims><InputClaim ClaimTypeReferenceId="IntApigrant_type" PartnerClaimType="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" /><InputClaim ClaimTypeReferenceId="IntApiscope" PartnerClaimType="scope" DefaultValue="{Settings:IntermediateApiScope}" AlwaysUseDefaultValue="true" /></InputClaims>
Or you can put AlwaysUseDefaultValue="true" in login-NonInteractive for those two claims.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论