【问题标题】:how to reset MFA and get a new QR when using azure b2c, MFA with REST API使用 azure b2c、MFA 和 REST API 时如何重置 MFA 并获取新的 QR
【发布时间】:2020-11-18 06:30:43
【问题描述】:

我已经关注 https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp 在 azure B2C 中构建 MFA,它运行良好。只是一个问题,用户扫描二维码注册手机后,如果想使用另一部手机或重置MFA,如何重新获取二维码?

【问题讨论】:

    标签: azure azure-ad-b2c


    【解决方案1】:

    任何类型的帐户管理都应存在于“个人资料编辑”政策中。此示例不包括它。您需要从 TrustFrameworkExtensions.xml 中提取组件,例如 AppFactor-RegisterAppFactor-Challenge 等技术配置文件,并添加到您的新用户旅程中ProfileEdit - 可能创造了一种全新的体验。当然,需要将写入技术配置文件添加回目录中以“更新”存储的任何信息。

    实现您的场景的大部分组件都已包含在此示例中 - 只需创建一个名为“ProfileEditwithQR”或其他内容的新用户旅程,然后将启动包 profileEdit 用户旅程复制到您的扩展文件(如果您尚未完成this) - 然后将此示例中的步骤添加到其中。

    这需要您至少具备 300 级的自定义政策知识才能将其组合在一起。

    【讨论】:

      【解决方案2】:

      我创建了一个允许重新创建二维码的策略。

      先决条件:您已经能够在您的租户中运行this sample

      将此添加到TrustFrameworkExtension.xml

      <UserJourney Id="EditQR" DefaultCpimIssuerTechnicalProfileReferenceId="JwtIssuer">
        <OrchestrationSteps>
      
          <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
            <ClaimsProviderSelections>
              <ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninEmailExchange" />
            </ClaimsProviderSelections>
          </OrchestrationStep>
          <OrchestrationStep Order="2" Type="ClaimsExchange">
            <ClaimsExchanges>
              <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
            </ClaimsExchanges>
          </OrchestrationStep>
      
          <OrchestrationStep Order="3" Type="ClaimsExchange">
            <ClaimsExchanges>
              <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
            </ClaimsExchanges>
          </OrchestrationStep>
      
          <!-- Demo: The following orchestration step is alwasy executed. 
          It generates a verification app secret key for the user (none interactive step). -->
          <OrchestrationStep Order="4" Type="ClaimsExchange">
            <ClaimsExchanges>
              <ClaimsExchange Id="AppFactorGenerateTotpWebHook" TechnicalProfileReferenceId="AppFactor-GenerateTotpWebHook" />
            </ClaimsExchanges>
          </OrchestrationStep>
      
          <!-- Demo: The following orchestration step is alwasy executed. 
          It registers a verification app through QR code that mobile authentication app should scan. -->
          <OrchestrationStep Order="5" Type="ClaimsExchange">
            <ClaimsExchanges>
              <ClaimsExchange Id="AppFactorRegisterExchange" TechnicalProfileReferenceId="AppFactor-Register" />
            </ClaimsExchanges>
          </OrchestrationStep>
      
          <!-- Demo: The following orchestration step is always executed.
          It updates the verification app time step matched for a given user in the Azure Active Directory.
          An error is raised if the user does not exist. -->
          <OrchestrationStep Order="6" Type="ClaimsExchange">
            <ClaimsExchanges>
              <ClaimsExchange Id="AADWriteUserAppCodeByObjectId" TechnicalProfileReferenceId="AAD-WriteUserAppCodeByObjectId" />
            </ClaimsExchanges>
          </OrchestrationStep>
          
          <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      
        </OrchestrationSteps>
        <ClientDefinition ReferenceId="DefaultWeb" />
      </UserJourney>
      

      这是新的用户流,我称之为EditQR.xml

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <TrustFrameworkPolicy
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
        PolicySchemaVersion="0.3.0.0"
        TenantId="yourtenant.onmicrosoft.com"
        PolicyId="B2C_1A_editQr"
        PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_editQr">
      
        <BasePolicy>
          <TenantId>yourtenant.onmicrosoft.com</TenantId>
          <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
        </BasePolicy>
      
        <RelyingParty>
          <DefaultUserJourney ReferenceId="EditQR" />
      
          <UserJourneyBehaviors>
            <ScriptExecution>Allow</ScriptExecution>
          </UserJourneyBehaviors>
          
          <TechnicalProfile Id="PolicyProfile">
            <DisplayName>PolicyProfile</DisplayName>
            <Protocol Name="OpenIdConnect" />
            <OutputClaims>
              <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
              <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
            </OutputClaims>
            <SubjectNamingInfo ClaimType="sub" />
          </TechnicalProfile>
        </RelyingParty>
      </TrustFrameworkPolicy>
      

      使用http://jwt.ms进行测试,系统会提示您登录,然后重定向到二维码页面。

      干杯!

      【讨论】:

        猜你喜欢
        • 2019-06-23
        • 2020-05-25
        • 1970-01-01
        • 1970-01-01
        • 2021-05-17
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 2021-08-31
        相关资源
        最近更新 更多