首次登录时重置密码期间的 Azure AD B2C 错误（使用自定义策略）

大佬教程收集整理的这篇文章主要介绍了首次登录时重置密码期间的 Azure AD B2C 错误（使用自定义策略），大佬教程大佬觉得挺不错的，现在分享给大家，也给大家做个参考。

如何解决首次登录时重置密码期间的 Azure AD B2C 错误（使用自定义策略）？

开发过程中遇到首次登录时重置密码期间的 Azure AD B2C 错误（使用自定义策略）的问题如何解决？下面主要结合日常开发的经验，给出你关于首次登录时重置密码期间的 Azure AD B2C 错误（使用自定义策略）的解决方法建议，希望对你解决首次登录时重置密码期间的 Azure AD B2C 错误（使用自定义策略）有所启发或帮助；

我正在尝试使用 the "reset password" repo 中所述的自定义策略在第一次登录后（在 Azure ADB2C 中）强制重置密码。

我正在使用自定义策略，并且在尝试上传“SignUpOrSignin.xml”自定义策略时出现验证错误。消息是：

未找到键为“ApplicationObjectID”的必需元数据项 在带有 ID 的 TechnicalProfile 中 策略中的“AAD-UserRemoveMustresetpasswordUsingObjectID” 租户“resetpasswordtest.onmicrosoft.com”的“B2C_1A_signup_signin”

这些是我遵循的步骤：

1. 我从 this GitHub 示例下载了自定义策略 XML 文件（如 readme.md file 末尾所述）
2. 我“替换”了“yourtenant.onmicrosoft.com”和“facebook 客户端”
3. 我将“SignUpOrSignin.xml”和“TrustFrameworkExtensions.xml”与取自the "reset password" repo的内容“合并”。
4. 我创建了“mustresetpassword”扩展属性（使用 Azure 门户）
5. 我使用图形实用程序创建了一个用户（因此我 100% 确定该用户是使用正确的“mustresetpassword”扩展属性以安全方式创建的）
6. 最后，我将以下 xml 上传到门户（按顺序）：

TrustFrameworkBase.xml

TrustFrameworkExtensions.xml

密码重置.xml

配置文件编辑.xml

SignUpOrSignin.xml

当我尝试上传最后一个 (SignUpOrSignin.xml) 时出现问题 这里有什么问题？ Here 您可以找到前 5 个 xml 文件的完整实现。

请查看我粘贴“TrustFrameworkExtensions.xml”和“SignUpOrSignin.xml”自定义策略的以下部分。

感谢阅读

<TrustFrameworkPolicy 
  xmlns:xsi="http://www.w3.org/2001/XMLscheR_401_11845@a-instance" 
  xmlns:xsd="http://www.w3.org/2001/XMLscheR_401_11845@a" 
  xmlns="http://scheR_401_11845@as.microsoft.com/online/cpim/scheR_401_11845@as/2013/06" 
  PolicyscheR_401_11845@aVersion="0.3.0.0" 
  TenantID="resetpasswordtest.onmicrosoft.com" 
  PolicyID="B2C_1A_TrustFrameworkExtensions" 
  PublicPolicyUri="http://resetpasswordtest.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions">
  
  <BasePolicy>
    <TenantID>resetpasswordtest.onmicrosoft.com</TenantID>
    <PolicyID>B2C_1A_TrustFrameworkBase</PolicyID>
  </BasePolicy>
  <BuildingBlocks>
  <ClaimsscheR_401_11845@a>
    <!--Demo: SpecifIEs whether user must reset the password-->
    <ClaimType ID="extension_mustresetpassword">
        <displayname>Must reset password</displayname>
        <DataType>Boolean</DataType>
        <UserHelpText>SpecifIEs whether user must reset the password</UserHelpText>
      </ClaimType>
  </ClaimsscheR_401_11845@a>
  </BuildingBlocks>

  <ClaimsProvIDers>
   <ClaimsProvIDer>
      <displayname>Azure Active Directory</displayname>
      <TechnicalProfiles>  

        <TechnicalProfile ID="AAD-UserReadUsingObjectID">
          <OutputClaims>
            <!--Demo: Read the 'must reset password' extension attribute -->
            <OutputClaim ClaimTypeReferencEID="extension_mustresetpassword" />
          </OutputClaims>
        </TechnicalProfile>

        <TechnicalProfile ID="AAD-UserRemoveMustresetpasswordUsingObjectID">
          <Metadata>
            <Item Key="Operation">deleteClaims</Item>
          </Metadata>
          <inputClaims>
            <inputClaim ClaimTypeReferencEID="objectID" required="true" />
          </inputClaims>
          <PersistedClaims>
            <PersistedClaim ClaimTypeReferencEID="objectID" />
            <PersistedClaim ClaimTypeReferencEID="extension_mustresetpassword" />            
          </PersistedClaims>
          <IncludeTechnicalProfile ReferencEID="AAD-Common" />
        </TechnicalProfile>

        <!--Demo: to create the extension attribute extension_mustresetpassword,you should upload the policy 
            and create one account. Then ***comment out this technical profile***.
            -->
        <TechnicalProfile ID="AAD-UserWriteUsinglogonEmail">
          <PersistedClaims>
            <PersistedClaim ClaimTypeReferencEID="extension_mustresetpassword" DefaultValue="true" />
          </PersistedClaims>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvIDer>

    <!-- Facebook claims provIDer -->
    <ClaimsProvIDer>
      <displayname>Facebook</displayname>
      <TechnicalProfiles>
        <TechnicalProfile ID="Facebook-OAUTH">
          <Metadata>
            <!--Demo action required: Change to your Facebook App ID-->
            <Item Key="clIEnt_ID">313412440187068</Item>
            <Item Key="scope">email public_profile</Item>
            <Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fIElds=ID,first_name,last_name,name,email</Item>
          </Metadata>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvIDer>


    <ClaimsProvIDer>
      <displayname>Local Account SignIn</displayname>
      <TechnicalProfiles>
        <TechnicalProfile ID="login-NonInteractive">
          <Metadata>
            <Item Key="clIEnt_ID">44444444-2222-2222-2222-555555555555</Item>
            <Item Key="IDTokenAudIEnce">44444444-2222-2222-2222-555555555555</Item>
          </Metadata>
          <inputClaims>
            <inputClaim ClaimTypeReferencEID="clIEnt_ID" DefaultValue="44444444-2222-2222-2222-555555555555" />
            <inputClaim ClaimTypeReferencEID="resource_id" PartnerClaimType="resource" DefaultValue="44444444-2222-2222-2222-555555555555" />
          </inputClaims>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvIDer>

  </ClaimsProvIDers>

  <Userjourneys>
    <Userjourney ID="SignUpOrSignInWithForcepasswordreset">
      <orchestrationSteps>
      
        <orchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDeFinitionReferencEID="API.signuporsignin">
          <ClaimsProvIDerSELEctions>
            <ClaimsProvIDerSELEction TargetClaimsExchangEID="FacebookExchange" />
           <ClaimsProvIDerSELEction ValIDationClaimsExchangEID="LocalAccountSigninEmailExchange" />
          </ClaimsProvIDerSELEctions>
          <ClaimsExchanges>
            <ClaimsExchange ID="LocalAccountSigninEmailExchange" TechnicalProfileReferencEID="SelfAsserted-LocalAccountSignin-Email" />
          </ClaimsExchanges>
        </orchestrationStep>
        <!-- check if the user has SELEcted to sign in using one of the social provIDers -->
        <orchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectID</Value>
              <Action>SkipThisorchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange ID="FacebookExchange" TechnicalProfileReferencEID="Facebook-OAUTH" />
           <ClaimsExchange ID="SignUpWithlogonEmailExchange" TechnicalProfileReferencEID="LocalAccountSignUpWithlogonEmail" />
          </ClaimsExchanges>
        </orchestrationStep>
        <!-- For social IDP authentication,attempt to find the user account in the directory. -->
        <orchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationsource</Value>
              <Value>localAccountAuthentication</Value>
              <Action>SkipThisorchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange ID="AADUserReadUsingalternativeSecurityID" TechnicalProfileReferencEID="AAD-UserReadUsingalternativeSecurityID-NoError" />
          </ClaimsExchanges>
        </orchestrationStep>
        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectID). 
          This can only happen when authentication happened using a social IDP. If local account was created or authentication done
          using ESTS in step 2,then an user account must exist in the directory by this time. -->
        <orchestrationStep Order="4" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectID</Value>
              <Action>SkipThisorchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange ID="SelfAsserted-Social" TechnicalProfileReferencEID="SelfAsserted-Social" />
          </ClaimsExchanges>
        </orchestrationStep>
        <!-- This step reads any user attributes that we may not have received when authenticaTing using ESTS so they can be sent 
          in the token. -->
        <orchestrationStep Order="5" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationsource</Value>
              <Value>socialIDpAuthentication</Value>
              <Action>SkipThisorchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange ID="AADUserReaDWithObjectID" TechnicalProfileReferencEID="AAD-UserReadUsingObjectID" />
          </ClaimsExchanges>
        </orchestrationStep>
        <!--Demo: check if change password is required. If yes,ask the user to reset the password-->
        <orchestrationStep Order="6" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationsource</Value>
              <Value>socialIDpAuthentication</Value>
              <Action>SkipThisorchestrationStep</Action>
            </Precondition>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
              <Value>extension_mustresetpassword</Value>
              <Action>SkipThisorchestrationStep</Action>
            </Precondition>            
            <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
              <Value>extension_mustresetpassword</Value>
              <Value>True</Value>
              <Action>SkipThisorchestrationStep</Action>
            </Precondition>            
          </Preconditions>        
          <ClaimsExchanges>
            <ClaimsExchange ID="NewCredentials" TechnicalProfileReferencEID="LocalAccountWritepasswordUsingObjectID" />
          </ClaimsExchanges>
        </orchestrationStep>
          <!--Demo: check if change password is required. If yes remove the value of the extension attribute. 
              So,on the next time user dons' t need to update the password-->
        <orchestrationStep Order="7" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationsource</Value>
              <Value>socialIDpAuthentication</Value>
              <Action>SkipThisorchestrationStep</Action>
            </Precondition>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
              <Value>extension_mustresetpassword</Value>
              <Action>SkipThisorchestrationStep</Action>
            </Precondition>            
            <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
              <Value>extension_mustresetpassword</Value>
              <Value>True</Value>
              <Action>SkipThisorchestrationStep</Action>
            </Precondition>            
          </Preconditions>        
          <ClaimsExchanges>
            <ClaimsExchange ID="AADUserRemoveMustresetpasswordUsingObjectID" TechnicalProfileReferencEID="AAD-UserRemoveMustresetpasswordUsingObjectID" />
          </ClaimsExchanges>
        </orchestrationStep>
        <!-- The prevIoUs step (SelfAsserted-Social) Could have been skipped if there were no attributes to collect 
             from the user. So,in that case,create the user in the directory if one does not already exist 
             (verifIEd using objectID which would be set from the last step if account was created in the directory. -->
        <orchestrationStep Order="8" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectID</Value>
              <Action>SkipThisorchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange ID="AADUserWrite" TechnicalProfileReferencEID="AAD-UserWriteUsingalternativeSecurityID" />
          </ClaimsExchanges>
        </orchestrationStep>
 
        <orchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferencEID="JwtIssuer" />
 
      </orchestrationSteps>
      <ClIEntDeFinition ReferencEID="DefaultWeb" />
    </Userjourney>
  </Userjourneys>

</TrustFrameworkPolicy>

<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLscheR_401_11845@a-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLscheR_401_11845@a"
  xmlns="http://scheR_401_11845@as.microsoft.com/online/cpim/scheR_401_11845@as/2013/06"
  PolicyscheR_401_11845@aVersion="0.3.0.0"
  TenantID="resetpasswordtest.onmicrosoft.com"
  PolicyID="B2C_1A_signup_signin"
  PublicPolicyUri="http://resetpasswordtest.onmicrosoft.com/B2C_1A_signup_signin">

  <BasePolicy>
    <TenantID>resetpasswordtest.onmicrosoft.com</TenantID>
    <PolicyID>B2C_1A_TrustFrameworkExtensions</PolicyID>
  </BasePolicy>

  <RelyingParty>
    <DefaultUserjourney ReferencEID="SignUpOrSignInWithForcepasswordreset" />
    <TechnicalProfile ID="PolicyProfile">
      <displayname>PolicyProfile</displayname>
      <Protocol name="OpenIDConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferencEID="displayname" />
        <OutputClaim ClaimTypeReferencEID="givenname" />
        <OutputClaim ClaimTypeReferencEID="surname" />
        <OutputClaim ClaimTypeReferencEID="email" />
        <OutputClaim ClaimTypeReferencEID="objectID" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferencEID="IDentityProvIDer" />
        <OutputClaim ClaimTypeReferencEID="tenantID" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectID}" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

解决方法

大佬总结

以上是大佬教程为你收集整理的首次登录时重置密码期间的 Azure AD B2C 错误（使用自定义策略）全部内容，希望文章能够帮你解决首次登录时重置密码期间的 Azure AD B2C 错误（使用自定义策略）所遇到的程序开发问题。

如果觉得大佬教程网站内容还不错，欢迎将大佬教程推荐给程序员好友。

本图文内容来源于网友网络收集整理提供，作为学习参考使用，版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ：384754419，请注明来意。