Azure AD B2C - 我们如何在令牌刷新期间跳过电子邮件验证(对于 2FA)?
Azure AD B2C - How do we skip email verification (for 2FA) during token refresh?
我的自定义策略在用户登录过程中将自定义 2FA 验证发送到电子邮件。我在登录期间使用 DisplayControls together with SessionManagement 发送单个 2FA 电子邮件。但是,在令牌刷新期间,尽管存在 isActiveMFASession 存在的前提条件,但不会跳过 2FA 电子邮件消息。如果我误解了我的自定义策略应该如何创建,请帮助检查策略的代码片段。谢谢!
索赔
<DisplayControl Id="signInEmailVerificationControl" UserInterfaceControlType="VerificationControl">
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" />
</InputClaims>
<DisplayClaims>
<DisplayClaim ClaimTypeReferenceId="email" Required="true" />
<DisplayClaim ClaimTypeReferenceId="verificationCode" ControlClaimType="VerificationCode" Required="true" />
</DisplayClaims>
<Actions>
<Action Id="SendCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="GenerateOtp" />
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="SendOtp" />
</ValidationClaimsExchange>
</Action>
<Action Id="VerifyCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="VerifyOtp" />
</ValidationClaimsExchange>
</Action>
</Actions>
</DisplayControl>
技术简介
<TechnicalProfile Id="SelfAsserted-Email-2FA">
<DisplayName>Self Asserted Email 2FA</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
<Item Key="setting.showCancelButton">false</Item>
<!-- OTP validation error messages -->
<Item Key="UserMessageIfSessionDoesNotExist">You have exceeded the maximum time allowed.</Item>
<Item Key="UserMessageIfMaxRetryAttempted">You have exceeded the number of retries allowed.</Item>
<Item Key="UserMessageIfInvalidCode">You have entered the wrong code.</Item>
<Item Key="UserMessageIfSessionConflict">Cannot verify the code, please try again later.</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" />
</InputClaims>
<DisplayClaims>
<DisplayClaim DisplayControlReferenceId="signInEmailVerificationControl" />
</DisplayClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-MFA" />
</TechnicalProfile>
<TechnicalProfile Id="SM-MFA">
<DisplayName>MFA Session Management Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isActiveMFASession" DefaultValue="true"/>
</OutputClaims>
</TechnicalProfile>
编排步骤
<!--- after Signin step -->
<OrchestrationStep Order="5" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isActiveMFASession</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="Email-2FA" TechnicalProfileReferenceId="SelfAsserted-Email-2FA"/>
</ClaimsExchanges>
</OrchestrationStep>
我注意到的一件事是您使用的是 ClaimEquals 但未指定值应该是什么。
我觉得前提应该是:
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isActiveMFASession</Value>
<Value>true</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
在 SelfAsserted-Email-2FA 中添加输出声明 isActiveMFASession with defaultValue=“true”。
向 SM-MFA 添加持久声明 isActiveMFASession。删除您的输出声明。
删除步骤 5 中的前提条件
我的自定义策略在用户登录过程中将自定义 2FA 验证发送到电子邮件。我在登录期间使用 DisplayControls together with SessionManagement 发送单个 2FA 电子邮件。但是,在令牌刷新期间,尽管存在 isActiveMFASession 存在的前提条件,但不会跳过 2FA 电子邮件消息。如果我误解了我的自定义策略应该如何创建,请帮助检查策略的代码片段。谢谢!
索赔
<DisplayControl Id="signInEmailVerificationControl" UserInterfaceControlType="VerificationControl">
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" />
</InputClaims>
<DisplayClaims>
<DisplayClaim ClaimTypeReferenceId="email" Required="true" />
<DisplayClaim ClaimTypeReferenceId="verificationCode" ControlClaimType="VerificationCode" Required="true" />
</DisplayClaims>
<Actions>
<Action Id="SendCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="GenerateOtp" />
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="SendOtp" />
</ValidationClaimsExchange>
</Action>
<Action Id="VerifyCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="VerifyOtp" />
</ValidationClaimsExchange>
</Action>
</Actions>
</DisplayControl>
技术简介
<TechnicalProfile Id="SelfAsserted-Email-2FA">
<DisplayName>Self Asserted Email 2FA</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
<Item Key="setting.showCancelButton">false</Item>
<!-- OTP validation error messages -->
<Item Key="UserMessageIfSessionDoesNotExist">You have exceeded the maximum time allowed.</Item>
<Item Key="UserMessageIfMaxRetryAttempted">You have exceeded the number of retries allowed.</Item>
<Item Key="UserMessageIfInvalidCode">You have entered the wrong code.</Item>
<Item Key="UserMessageIfSessionConflict">Cannot verify the code, please try again later.</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" />
</InputClaims>
<DisplayClaims>
<DisplayClaim DisplayControlReferenceId="signInEmailVerificationControl" />
</DisplayClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-MFA" />
</TechnicalProfile>
<TechnicalProfile Id="SM-MFA">
<DisplayName>MFA Session Management Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isActiveMFASession" DefaultValue="true"/>
</OutputClaims>
</TechnicalProfile>
编排步骤
<!--- after Signin step -->
<OrchestrationStep Order="5" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isActiveMFASession</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="Email-2FA" TechnicalProfileReferenceId="SelfAsserted-Email-2FA"/>
</ClaimsExchanges>
</OrchestrationStep>
我注意到的一件事是您使用的是 ClaimEquals 但未指定值应该是什么。 我觉得前提应该是:
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isActiveMFASession</Value>
<Value>true</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
在 SelfAsserted-Email-2FA 中添加输出声明 isActiveMFASession with defaultValue=“true”。
向 SM-MFA 添加持久声明 isActiveMFASession。删除您的输出声明。
删除步骤 5 中的前提条件