identity-experience-framework

问题 I've followed the instructions here to set up the Azure AD multi-tenant custom policy in the Identity Experience Framework: https://docs.microsoft.com/en-gb/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom?tabs=applications However I'm unable to get a claim back containing the email address (corresponding to the "user name" from the external active directory). The main single-tenant active directory setup works fine, when I use this claim mapping (and the other "social"

问题 How do I enable email verification in B2C w/ custom policies? In an attempt to reverse engineer it, I tried disabling it in a built-in policy and downloaded the policy. I tried adding that metadata item to my self-asserted technical profile but that didn't work. Reverse Engineer Test | Built-In Policy <TechnicalProfile Id="SelfAsserted-Input"> <Metadata> <Item Key="EnforceEmailVerification">False</Item> </Metadata> </TechnicalProfile> My Self-Asserted Technical Profile <TechnicalProfile Id=

问题 I am trying to use the OAUTH-KV Claims Resolver to extract the value of a parameter named foo passed to an AAD B2C custom policy authorize endpoint as a claim, also named foo . The foo ClaimType is defined as <ClaimType Id="foo"> <DisplayName>Foo debug claim</DisplayName> <DataType>string</DataType> <UserInputType>TextBox</UserInputType> </ClaimType> and the TechnicalProfile as <TechnicalProfile Id="LocalAccount-Register"> <DisplayName>Register</DisplayName> <Protocol Name="Proprietary"

问题 I am trying to use the OAUTH-KV Claims Resolver to extract the value of a parameter named foo passed to an AAD B2C custom policy authorize endpoint as a claim, also named foo . The foo ClaimType is defined as <ClaimType Id="foo"> <DisplayName>Foo debug claim</DisplayName> <DataType>string</DataType> <UserInputType>TextBox</UserInputType> </ClaimType> and the TechnicalProfile as <TechnicalProfile Id="LocalAccount-Register"> <DisplayName>Register</DisplayName> <Protocol Name="Proprietary"

问题 I have an extension claim type say extension_isEmailVerified . I want to block user from login based on the value of this claim type. If it is true then user can login and if false then need to show an error message in the login page that your email is not verified. <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email"> <DisplayName>Local Account Signin</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0

问题 I am trying to generate an access token from our policy but I am getting this error. AADB2C90086: The supplied grant_type [client_credentials] is not supported. This is a sample postman request POST /{tenant}/oauth2/token?p=B2C_1A_SignUpOrSignInWithAAD HTTP/1.1 Host: login.microsoftonline.com Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache grant_type=client_credentials&client_id={client_id}&resource=https%3A%2F%2F{app_url}&client_secret={client_secret} but it works

问题 I am trying to generate an access token from our policy but I am getting this error. AADB2C90086: The supplied grant_type [client_credentials] is not supported. This is a sample postman request POST /{tenant}/oauth2/token?p=B2C_1A_SignUpOrSignInWithAAD HTTP/1.1 Host: login.microsoftonline.com Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache grant_type=client_credentials&client_id={client_id}&resource=https%3A%2F%2F{app_url}&client_secret={client_secret} but it works

问题 We want to force users to provide and verify their email address even when they reject passing their email claim from Facebook. We created an orchestration step which calls the following technical profile after coming back from Facebook: <TechnicalProfile Id="SelfAsserted-ConfirmEmailSocial"> <DisplayName>Confirm email social</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken

问题 We are using custom SignIn/SigUp Policy, configured Facebook, LinkedIn, Twitter, Google+ as Social IDP's. We have built a custom page where we ask the user for their email and then redirect them to the particular IDP page (we have logic built around this) using domain_hint , for example: domain_hint=facebook.com . I want to pass the email address entered by the user in the first step in login_hint along with domain_hint so that the user doesn't have to enter the email once again when

问题 Is it possible to create custom policy to reset password for already known email? I create user using Graph API and send invitation email to the specified email address. I want user to click on the link in that email and just set password for his account. I can create signed token with this email claim and send as assertion to my custom policy. So policy gets email as input claim. I see it in the trace. But I am not able to bypass email verification step in the password reset journey - when I