使用REST端点的Azure B2C多租户AAD验证组

我想根据以下IEF中的自定义策略来验证通过多租户AAD与用户登录关联的用户组

 <ClaimsProvider>
    <Domain>commonaad</Domain>
    <displayName>Common AAD</displayName>
    <TechnicalProfiles>
      <TechnicalProfile Id="Common-AAD">
        <displayName>Multi-Tenant AAD</displayName>
        <Description>Login with your account</Description>
        <Protocol Name="OpenIdConnect"/>
        <Metadata>
          <Item Key="MetaDATA">https://login.microsoftonline.com/common/v2.0/.well-kNown/openid-configuration</Item>
        <!-- Update the Client ID below to the Application ID -->
          <Item Key="client_id">97704006-2069-48a9-86c3-28ba9de9d83c</Item>
          <Item Key="response_types">code</Item>
          <Item Key="scope">openid profile</Item>
          <Item Key="response_mode">form_post</Item>
          <Item Key="HttpBinding">POST</Item>
          <Item Key="UsePolicyInRedirectUri">false</Item>
          <Item Key="discoverMetadataByTokenIssuer">true</Item>
        <!-- The key below allows you to specify each of the Azure AD tenants that can be used to sign in. Update the GUIDs below for each tenant. -->
        <!-- <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item> -->
        <!-- The commented key below specifies that users from any tenant can sign-in. Uncomment if you would like anyone with an Azure AD account to be able to sign in. -->
          <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
        </Metadata>
        <CryptographicKeys>
          <Key Id="client_secret" StorageReferenceId="B2C_1A_TenantApplicationKey"/>
        </CryptographicKeys>
        <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
          <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
          <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
          <OutputClaim ClaimTypeReferenceId="givenname" PartnerClaimType="given_name" />
          <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
          <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
          <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
          <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
          <OutputClaim ClaimTypeReferenceId="groups" />
        </OutputClaims>             
        <ValidationTechnicalProfiles>
            <!-- Demo: Make sure you first call the login-NonInteractive technical profile,to get the user ID.
                 Then call the role-based access control REST API to get adn validate user's groups -->
          <ValidationTechnicalProfile ReferenceId="REST-RBAC" />
        </ValidationTechnicalProfiles>
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
      </TechnicalProfile>
    </TechnicalProfiles>
    </ClaimsProvider>

如果您仔细看过，我有关联的步骤可以通过自定义声明使用REST调用来验证与用户关联的组

<ClaimsProvider>
      <displayName>REST APIs</displayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="REST-RBAC">
          <displayName>Read and validate user's groups</displayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider,Web.TPEngine,Version=1.0.0.0,Culture=neutral,PublicKeyToken=null" />
          <Metadata>
            <!--Demo: Change the service URL with your REST API location-->
            <Item Key="ServiceUrl">https://testb2cauth.azurewebsites.net/api/Identity/IsMemberOf</Item>
            
            <!--Demo: Change the AuthenticationType to basic or ClientCertificate.
            For more @R_928_4045@ion,see: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw-secure-cert-->
            <Item Key="AuthenticationType">Basic</Item>
            <Item Key="SendClaimsIn">Body</Item>
            <Item Key="AllowInsecureAuthInProduction">true</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_RestApiUsername" />
            <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_RestApiPassword" />
          </CryptographicKeys>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="objectId" />
            <!--Demo: set the DefaultValue to empty string or comma delimiter list 
            of security groups to validate-->
            <InputClaim ClaimTypeReferenceId="onlyMembersOf" DefaultValue="B2C-user-test" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="groups" />
          </OutputClaims>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

但是它甚至没有打到REST，如果有人使用自定义策略执行了相同的案例，那将非常有帮助

谢谢

解决方法

暂无找到可以解决该程序问题的有效方法，小编努力寻找整理中！

如果你已经找到好的解决方法，欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@）