Azure ADB2C RESTful API Sign In error: "Error granting access to your user, please try again later. Validation error: Email is mandatory."
Azure ADB2C RESTful API Sign In error: "Error granting access to your user, please try again later. Validation error: Email is mandatory."
为了在他登录之前验证给定数据库中是否存在用户电子邮件,我正在使用 RESTful API 技术资料。
当我使用外部 IdP(例如 Google、Facebook 等)执行登录流程时,它就像一个魅力,但是,使用本地帐户登录流程(例如登录名和密码)我得到上面的异常;
以下是我从 Application Insights 获得的一些信息:
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "97c526e1-96cd-45b6-8dd9-dfe26f26dfa5",
"EventInstance": "Event:API",
"TenantId": "foo",
"PolicyId": "B2C_1A_V2_AccountLink_SUSI"
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "SendErrorTechnicalProfile",
"Value": "OpenIdConnectProtocolProvider"
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Error granting access to your user, please try again later. Validation error: Email is mandatory.",
"Data": {
"IsPolicySpecificError": false
},
"Exception": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details.",
"Data": {}
}
}
}
]
},
Statebag + 额外的 HTTP 请求信息:
"Statebag": {
"Complex-CLMS": {
"signInName": "foo@gmail.com",
"objectId": "aaaaaaa-bbbbbb-4b0c-be57-852ca738e337",
"authenticationSource": "localAccountAuthentication",
"termsOfUseConsentRequired": "False",
"extension_termsOfUseConsentDateTime": "12/2/2021 2:30:09 PM",
"currentTime": "12/2/2021 2:39:14 PM",
"currentUserIdentities": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]",
"signInNames.emailAddress": "foo@gmail.com",
"displayName": "Raphael Silva",
"givenName": "Raphael ramos",
"surname": "silva",
"issuers": "System.Collections.ObjectModel.Collection`1[System.String]"
},
"PROT": {
"c": "2021-12-02T14:39:16.1594338Z",
"k": "PROT",
"v": "AAD Request to https://graph.windows.net/<foo>/users/<bar>?api-version=1.6 using method GET as request body is malformed.\r\nResponse: \n{\"odata.metadata\":\"https://graph.windows.net/<foo>/$metadata#directoryObjects/@Element\",\"odata.type\":\"Microsoft.DirectoryServices.User\",\"objectType\":\"User\",\"objectId\":\"<bar>\",\"deletionTimestamp\":null,\"accountEnabled\":true,\"ageGroup\":null,\"assignedLicenses\":[],\"assignedPlans\":[],\"city\":null,\"companyName\":null,\"consentProvidedForMinor\":null,\"country\":null,\"createdDateTime\":\"2021-12-02T14:30:28Z\",\"creationType\":\"LocalAccount\",\"department\":null,\"dirSyncEnabled\":null,\"displayName\":\"Raphael Silva\",\"employeeId\":null,\"facsimileTelephoneNumber\":null,\"givenName\":\"Raphael ramos\",\"immutableId\":null,\"isCompromised\":null,\"jobTitle\":null,\"lastDirSyncTime\":null,\"legalAgeGroupClassification\":null,\"mail\":null,\"mailNickname\":\"<foo>\",\"mobile\":null,\"onPremisesDistinguishedName\":null,\"onPremisesSecurityIdentifier\":null,\"otherMails\":[],\"passwordPolicies\":\"DisablePasswordExpiration\",\"passwordProfile\":null,\"physicalDeliveryOfficeName\":null,\"postalCode\":null,\"preferredLanguage\":null,\"provisionedPlans\":[],\"provisioningErrors\":[],\"proxyAddresses\":[],\"refreshTokensValidFromDateTime\":\"2021-12-02T14:30:28Z\",\"showInAddressList\":null,\"signInNames\":[{\"type\":\"emailAddress\",\"value\":\"r.r.raphael.silva@gmail.com\"}],\"sipProxyAddress\":null,\"state\":null,\"streetAddress\":null,\"surname\":\"silva\",\"telephoneNumber\":null,\"thumbnailPhoto@odata.mediaEditLink\":\"directoryObjects/6207c4d7-8e54-4b0c-be57-852ca738e337/Microsoft.DirectoryServices.User/thumbnailPhoto\",\"usageLocation\":null,\"userIdentities\":[],\"userPrincipalName\":\"<foobar>\",\"userState\":null,\"userStateChangedOn\":null,\"userType\":\"Member\",\"extension_9614eff520454054b6d79fbe0c7a5491_residentialPostcode\":\"<foo>\",\"extension_9614eff520454054b6d79fbe0c7a5491_termsOfUseConsentVersion\":\"V1\",\"extension_9614eff520454054b6d79fbe0c7a5491_termsOfUseConsentChoice\":\"AgreeToTermsOfUseConsentYes\",\"extension_9614eff520454054b6d79fbe0c7a5491_termsOfUseConsentDateTime@odata.type\":\"Edm.DateTime\",\"extension_9614eff520454054b6d79fbe0c7a5491_termsOfUseConsentDateTime\":\"2021-12-02T14:30:08.7498164Z\",\"extension_9614eff520454054b6d79fbe0c7a5491_haspassword\":true}\r\n",
"p": false
}
}
}
最后,RESTapi技术简介:
<!-- B2C_1A_TrustFrameworkExtensions -->
<TechnicalProfile Id="REST-AuthB2CSignIn">
<DisplayName>Get User roles from the database</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<!-- Set the ServiceUrl with your own REST API endpoint -->
<Item Key="ServiceUrl">{config:SignInFunction}</Item>
<Item Key="SendClaimsIn">Body</Item>
<!-- Set AuthenticationType to Basic or ClientCertificate in production environments -->
<Item Key="AuthenticationType">None</Item>
<!-- REMOVE the following line in production environments -->
<Item Key="AllowInsecureAuthInProduction">true</Item>
</Metadata>
<InputClaims>
<!-- Claims sent to your REST API -->
<InputClaim ClaimTypeReferenceId="objectId" />
<InputClaim ClaimTypeReferenceId="email" />
<InputClaim ClaimTypeReferenceId="displayName" />
<InputClaim ClaimTypeReferenceId="givenName" />
<InputClaim ClaimTypeReferenceId="surname" />
</InputClaims>
<OutputClaims>
<!-- Claims parsed from your REST API -->
<OutputClaim ClaimTypeReferenceId="extension_Roles" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
请检查以下几点是否可以与评论的一起工作
- 要启用本地帐户登录对 Azure AD B2C 目录的身份验证,您必须将身份体验框架 (IEF) 应用程序添加到 Azure AD B2C 目录,然后使用 login-NonInteractive 配置这些 IEF 应用程序技术简介。
- 根据Azure Active Directory B2C | Microsoft Docs
Azure AD B2C requires you to register two applications that it uses to
sign up and sign in users with local accounts:
IdentityExperienceFramework, a web API, and
ProxyIdentityExperienceFramework, a native app with delegated
permission to the IdentityExperienceFramework app. Your users can sign
up with an email address or username and a password to access your
tenant-registered applications, which creates a "local account." Local
accounts exist only in your Azure AD B2C tenant.
另外不要忘记更新您在完成添加时注册的两个应用程序的应用程序(客户端)ID,IdentityExperienceFramework 和 ProxyIdentityExperienceFramework。
另请参阅将电子邮件地址添加到身份集合中。
{
"signInType": "emailAddress",
"issuer": "contoso.onmicrosoft.com",
"issuerAssignedId": "xyz@yahoo.com"
},
请检查这个
参考文献:
为了在他登录之前验证给定数据库中是否存在用户电子邮件,我正在使用 RESTful API 技术资料。
当我使用外部 IdP(例如 Google、Facebook 等)执行登录流程时,它就像一个魅力,但是,使用本地帐户登录流程(例如登录名和密码)我得到上面的异常;
以下是我从 Application Insights 获得的一些信息:
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "97c526e1-96cd-45b6-8dd9-dfe26f26dfa5",
"EventInstance": "Event:API",
"TenantId": "foo",
"PolicyId": "B2C_1A_V2_AccountLink_SUSI"
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "SendErrorTechnicalProfile",
"Value": "OpenIdConnectProtocolProvider"
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Error granting access to your user, please try again later. Validation error: Email is mandatory.",
"Data": {
"IsPolicySpecificError": false
},
"Exception": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details.",
"Data": {}
}
}
}
]
},
Statebag + 额外的 HTTP 请求信息:
"Statebag": {
"Complex-CLMS": {
"signInName": "foo@gmail.com",
"objectId": "aaaaaaa-bbbbbb-4b0c-be57-852ca738e337",
"authenticationSource": "localAccountAuthentication",
"termsOfUseConsentRequired": "False",
"extension_termsOfUseConsentDateTime": "12/2/2021 2:30:09 PM",
"currentTime": "12/2/2021 2:39:14 PM",
"currentUserIdentities": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]",
"signInNames.emailAddress": "foo@gmail.com",
"displayName": "Raphael Silva",
"givenName": "Raphael ramos",
"surname": "silva",
"issuers": "System.Collections.ObjectModel.Collection`1[System.String]"
},
"PROT": {
"c": "2021-12-02T14:39:16.1594338Z",
"k": "PROT",
"v": "AAD Request to https://graph.windows.net/<foo>/users/<bar>?api-version=1.6 using method GET as request body is malformed.\r\nResponse: \n{\"odata.metadata\":\"https://graph.windows.net/<foo>/$metadata#directoryObjects/@Element\",\"odata.type\":\"Microsoft.DirectoryServices.User\",\"objectType\":\"User\",\"objectId\":\"<bar>\",\"deletionTimestamp\":null,\"accountEnabled\":true,\"ageGroup\":null,\"assignedLicenses\":[],\"assignedPlans\":[],\"city\":null,\"companyName\":null,\"consentProvidedForMinor\":null,\"country\":null,\"createdDateTime\":\"2021-12-02T14:30:28Z\",\"creationType\":\"LocalAccount\",\"department\":null,\"dirSyncEnabled\":null,\"displayName\":\"Raphael Silva\",\"employeeId\":null,\"facsimileTelephoneNumber\":null,\"givenName\":\"Raphael ramos\",\"immutableId\":null,\"isCompromised\":null,\"jobTitle\":null,\"lastDirSyncTime\":null,\"legalAgeGroupClassification\":null,\"mail\":null,\"mailNickname\":\"<foo>\",\"mobile\":null,\"onPremisesDistinguishedName\":null,\"onPremisesSecurityIdentifier\":null,\"otherMails\":[],\"passwordPolicies\":\"DisablePasswordExpiration\",\"passwordProfile\":null,\"physicalDeliveryOfficeName\":null,\"postalCode\":null,\"preferredLanguage\":null,\"provisionedPlans\":[],\"provisioningErrors\":[],\"proxyAddresses\":[],\"refreshTokensValidFromDateTime\":\"2021-12-02T14:30:28Z\",\"showInAddressList\":null,\"signInNames\":[{\"type\":\"emailAddress\",\"value\":\"r.r.raphael.silva@gmail.com\"}],\"sipProxyAddress\":null,\"state\":null,\"streetAddress\":null,\"surname\":\"silva\",\"telephoneNumber\":null,\"thumbnailPhoto@odata.mediaEditLink\":\"directoryObjects/6207c4d7-8e54-4b0c-be57-852ca738e337/Microsoft.DirectoryServices.User/thumbnailPhoto\",\"usageLocation\":null,\"userIdentities\":[],\"userPrincipalName\":\"<foobar>\",\"userState\":null,\"userStateChangedOn\":null,\"userType\":\"Member\",\"extension_9614eff520454054b6d79fbe0c7a5491_residentialPostcode\":\"<foo>\",\"extension_9614eff520454054b6d79fbe0c7a5491_termsOfUseConsentVersion\":\"V1\",\"extension_9614eff520454054b6d79fbe0c7a5491_termsOfUseConsentChoice\":\"AgreeToTermsOfUseConsentYes\",\"extension_9614eff520454054b6d79fbe0c7a5491_termsOfUseConsentDateTime@odata.type\":\"Edm.DateTime\",\"extension_9614eff520454054b6d79fbe0c7a5491_termsOfUseConsentDateTime\":\"2021-12-02T14:30:08.7498164Z\",\"extension_9614eff520454054b6d79fbe0c7a5491_haspassword\":true}\r\n",
"p": false
}
}
}
最后,RESTapi技术简介:
<!-- B2C_1A_TrustFrameworkExtensions -->
<TechnicalProfile Id="REST-AuthB2CSignIn">
<DisplayName>Get User roles from the database</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<!-- Set the ServiceUrl with your own REST API endpoint -->
<Item Key="ServiceUrl">{config:SignInFunction}</Item>
<Item Key="SendClaimsIn">Body</Item>
<!-- Set AuthenticationType to Basic or ClientCertificate in production environments -->
<Item Key="AuthenticationType">None</Item>
<!-- REMOVE the following line in production environments -->
<Item Key="AllowInsecureAuthInProduction">true</Item>
</Metadata>
<InputClaims>
<!-- Claims sent to your REST API -->
<InputClaim ClaimTypeReferenceId="objectId" />
<InputClaim ClaimTypeReferenceId="email" />
<InputClaim ClaimTypeReferenceId="displayName" />
<InputClaim ClaimTypeReferenceId="givenName" />
<InputClaim ClaimTypeReferenceId="surname" />
</InputClaims>
<OutputClaims>
<!-- Claims parsed from your REST API -->
<OutputClaim ClaimTypeReferenceId="extension_Roles" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
请检查以下几点是否可以与评论的一起工作
- 要启用本地帐户登录对 Azure AD B2C 目录的身份验证,您必须将身份体验框架 (IEF) 应用程序添加到 Azure AD B2C 目录,然后使用 login-NonInteractive 配置这些 IEF 应用程序技术简介。
- 根据Azure Active Directory B2C | Microsoft Docs
Azure AD B2C requires you to register two applications that it uses to sign up and sign in users with local accounts: IdentityExperienceFramework, a web API, and ProxyIdentityExperienceFramework, a native app with delegated permission to the IdentityExperienceFramework app. Your users can sign up with an email address or username and a password to access your tenant-registered applications, which creates a "local account." Local accounts exist only in your Azure AD B2C tenant.
另外不要忘记更新您在完成添加时注册的两个应用程序的应用程序(客户端)ID,IdentityExperienceFramework 和 ProxyIdentityExperienceFramework。
另请参阅将电子邮件地址添加到身份集合中。
{
"signInType": "emailAddress",
"issuer": "contoso.onmicrosoft.com",
"issuerAssignedId": "xyz@yahoo.com"
},
请检查这个
参考文献: