为 KeyCloak 配置 Azure 自定义策略

Question

我正在尝试为使用 KeyCloak SSO 的 SignUp-SignIn 配置 Azure B2C 自定义策略

<ClaimsProvider>
  <Domain>mydomain.com</Domain>
  <DisplayName>SSO</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="SSO-KK-OpenID">
      <DisplayName>My SSO</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <Metadata>
        <Item Key="ProviderName">https://mydomainurl.com</Item>
        <Item Key="METADATA">https://mydomainurl.com/auth/realms/myrealm/.well-known/openid-configuration</Item>
        <Item Key="response_types">code</Item>
        <Item Key="response_mode">form_post</Item>
        <Item Key="scope">openid</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
        <Item Key="client_id">myclientIdOnKeyCloak</Item>
      </Metadata>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="domain_hint" DefaultValue="pippo" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="https://mydomainurl.com" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="email" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
      </OutputClaims>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_MYKKSecret" />
      </CryptographicKeys>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

我已将我的秘密存储在策略密钥中，并将密钥用作签名。但是当我上传文件时出现此错误：

Validation failed: 1 validation error(s) found in policy "B2C_1A_TRUSTFRAMEWORKBASE" of tenant "mytenant.onmicrosoft.com".Schema validation error found at line 440 col 12 in policy "B2C_1A_TRUSTFRAMEWORKBASE" of tenant "mytenant.onmicrosoft.com": The element 'TechnicalProfile' in namespace 'http://schemas.microsoft.com/online/cpim/schemas/2013/06' has invalid child element 'CryptographicKeys' in namespace 'http://schemas.microsoft.com/online/cpim/schemas/2013/06'. List of possible elements expected: 'OutputClaimsTransformations, ValidationTechnicalProfiles, SubjectNamingInfo, Extensions, IncludeClaimsFromTechnicalProfile, IncludeTechnicalProfile, UseTechnicalProfileForSessionManagement, ErrorHandlers, EnabledForUserJourneys' in namespace 'http://schemas.microsoft.com/online/cpim/schemas/2013/06'.Schema validation error found at line 440 col 12 in policy "B2C_1A_TRUSTFRAMEWORKBASE" of tenant "mytenant.onmicrosoft.com": The element 'TechnicalProfile' in namespace 'http://schemas.microsoft.com/online/cpim/schemas/2013/06' has invalid child element 'CryptographicKeys' in namespace 'http://schemas.microsoft.com/online/cpim/schemas/2013/06'. List of possible elements expected: 'OutputClaimsTransformations, ValidationTechnicalProfiles, SubjectNamingInfo, Extensions, IncludeClaimsFromTechnicalProfile, IncludeTechnicalProfile, UseTechnicalProfileForSessionManagement, ErrorHandlers, EnabledForUserJourneys' in namespace 'http://schemas.microsoft.com/online/cpim/schemas/2013/06'.

我按照Ms Documentation中的说明复制了Facebook的Cla​​imsProvider以供参考

Answer 1

错误表明节点的顺序是意外的。

在元数据和 inputclaims 节点之间移动加密密钥。

例子 https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-google?pivots=b2c-custom-policy#configure-google-as-an-identity-provider-1