如何对 Azure AD B2C 自定义策略中的 RESTful 端点响应进行故障排除
How to troubleshoot RESTful endpoint response in Azure AD B2C custom policy
我正在尝试获取某个用户在登录过程中所属的组。
我正在为此使用调用 RESTful 图 API。
这是我的技术资料,我的想法是为我的图表 API 应用程序获取令牌,并使用令牌进行 /getMemberGroups 调用以获取组作为 StringCollection:
<ClaimsProvider>
<DisplayName>Get user groups of a certain user</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="GetAccessTokenForGraphApi">
<DisplayName></DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://login.microsoftonline.com/{tenant_name}.onmicrosoft.com/oauth2/v2.0/token</Item>
<Item Key="AuthenticationType">Basic</Item>
<Item Key="SendClaimsIn">Form</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_userMgntAppId" />
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_userMgntAppClientSecret" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
<TechnicalProfile Id="GetUserGroups">
<DisplayName>Retrieves security groups assigned to the user</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://graph.microsoft.com/v1.0/users/{objectId}/getMemberGroups</Item>
<Item Key="AuthenticationType">Bearer</Item>
<Item Key="UseClaimAsBearerToken">bearerToken</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AllowInsecureAuthInProduction">true</Item>
<Item Key="ClaimUsedForRequestPayload">securityEnabledOnly</Item>
<Item Key="DefaultUserMessageIfRequestFailed">Cannot process your request right now, please try again later.</Item>
</Metadata>
<InputClaims>
<InputClaim Required="true" ClaimTypeReferenceId="objectId" />
<InputClaim Required="true" ClaimTypeReferenceId="bearerToken" />
<InputClaim Required="true" ClaimTypeReferenceId="securityEnabledOnly" DefaultValue="false" AlwaysUseDefaultValue="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="groups" PartnerClaimType="value" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
GetAccessTokenForGraphApi TP 工作正常,如果我仅在我的 userJourney 中调用它,我可以获得 bearerToken 输出声明。
但是,当我将 GetUserGroups TP 作为下一个编排步骤时,我的应用程序洞察日志中出现了此类异常:
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "SendErrorTechnicalProfile",
"Value": "OpenIdConnectProtocolProvider"
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Cannot process your request right now, please try again later.",
"Data": {
"IsPolicySpecificError": false
},
"Exception": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details.",
"Data": {}
}
}
}
]
},
我认为在调用 RESTful 端点时出现了一些错误。我的问题是,如何“可视化”restful 调用以查看我实际发送的内容?例如,如您所见,我将 objectId 放入我的 URL,查看实际的 URL 将有助于排除 restful 调用的故障。
如果我需要补充更多信息,请告诉我。非常感谢!
你不能这样做:
<Item Key="ServiceUrl">https://graph.microsoft.com/v1.0/users/{objectId}/getMemberGroups</Item>
结合起来:
<Item Key="SendClaimsIn">Body</Item>
您可以在 URL 中发送声明,您的声明解析器将在其中解析 objectId,或者在正文中发送声明。
https://docs.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile#metadata
这就是你调用失败的原因。
您需要调用您自己的 API,然后让您自己的 API 调用 Graph API。
我正在尝试获取某个用户在登录过程中所属的组。
我正在为此使用调用 RESTful 图 API。
这是我的技术资料,我的想法是为我的图表 API 应用程序获取令牌,并使用令牌进行 /getMemberGroups 调用以获取组作为 StringCollection:
<ClaimsProvider>
<DisplayName>Get user groups of a certain user</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="GetAccessTokenForGraphApi">
<DisplayName></DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://login.microsoftonline.com/{tenant_name}.onmicrosoft.com/oauth2/v2.0/token</Item>
<Item Key="AuthenticationType">Basic</Item>
<Item Key="SendClaimsIn">Form</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_userMgntAppId" />
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_userMgntAppClientSecret" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
<TechnicalProfile Id="GetUserGroups">
<DisplayName>Retrieves security groups assigned to the user</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://graph.microsoft.com/v1.0/users/{objectId}/getMemberGroups</Item>
<Item Key="AuthenticationType">Bearer</Item>
<Item Key="UseClaimAsBearerToken">bearerToken</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AllowInsecureAuthInProduction">true</Item>
<Item Key="ClaimUsedForRequestPayload">securityEnabledOnly</Item>
<Item Key="DefaultUserMessageIfRequestFailed">Cannot process your request right now, please try again later.</Item>
</Metadata>
<InputClaims>
<InputClaim Required="true" ClaimTypeReferenceId="objectId" />
<InputClaim Required="true" ClaimTypeReferenceId="bearerToken" />
<InputClaim Required="true" ClaimTypeReferenceId="securityEnabledOnly" DefaultValue="false" AlwaysUseDefaultValue="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="groups" PartnerClaimType="value" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
GetAccessTokenForGraphApi TP 工作正常,如果我仅在我的 userJourney 中调用它,我可以获得 bearerToken 输出声明。
但是,当我将 GetUserGroups TP 作为下一个编排步骤时,我的应用程序洞察日志中出现了此类异常:
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "SendErrorTechnicalProfile",
"Value": "OpenIdConnectProtocolProvider"
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Cannot process your request right now, please try again later.",
"Data": {
"IsPolicySpecificError": false
},
"Exception": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details.",
"Data": {}
}
}
}
]
},
我认为在调用 RESTful 端点时出现了一些错误。我的问题是,如何“可视化”restful 调用以查看我实际发送的内容?例如,如您所见,我将 objectId 放入我的 URL,查看实际的 URL 将有助于排除 restful 调用的故障。
如果我需要补充更多信息,请告诉我。非常感谢!
你不能这样做:
<Item Key="ServiceUrl">https://graph.microsoft.com/v1.0/users/{objectId}/getMemberGroups</Item>
结合起来:
<Item Key="SendClaimsIn">Body</Item>
您可以在 URL 中发送声明,您的声明解析器将在其中解析 objectId,或者在正文中发送声明。 https://docs.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile#metadata
这就是你调用失败的原因。
您需要调用您自己的 API,然后让您自己的 API 调用 Graph API。