在 Azure Active Directory B2C 中使用自定义策略管理 SSO 和令牌自定义Manage SSO and token customization using custom policies in Azure Active Directory B2C

本文提供了有关在 Azure Active Directory B2C (Azure AD B2C) 中如何使用自定义策略管理令牌、会话和单一登录 (SSO) 配置的信息。This article provides information about how you can manage your token, session, and single sign-on (SSO) configurations using custom policies in Azure Active Directory B2C (Azure AD B2C).

JWT 令牌生存期和声明配置JWT token lifetimes and claims configuration

若要更改令牌生存期的设置,需要在想要影响的策略的信赖方文件中添加 ClaimsProviders 元素。To change the settings on your token lifetimes, you add a ClaimsProviders element in the relying party file of the policy you want to impact. ClaimsProviders 元素是 TrustFrameworkPolicy 元素的子代。The ClaimsProviders element is a child of the TrustFrameworkPolicy element.

在信赖方文件的 BasePolicy 元素和 RelyingParty 元素之间插入 ClaimsProviders 元素。Insert the ClaimsProviders element between the BasePolicy element and the RelyingParty element of the relying party file.

在该元素中,需要放置影响令牌生存期的信息。Inside, you'll need to put the information that affects your token lifetimes. XML 如以下示例所示:The XML looks like this example:

<ClaimsProviders>
  <ClaimsProvider>
    <DisplayName>Token Issuer</DisplayName>
    <TechnicalProfiles>
      <TechnicalProfile Id="JwtIssuer">
        <Metadata>
          <Item Key="token_lifetime_secs">3600</Item>
          <Item Key="id_token_lifetime_secs">3600</Item>
          <Item Key="refresh_token_lifetime_secs">1209600</Item>
          <Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
          <Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
          <Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
        </Metadata>
      </TechnicalProfile>
    </TechnicalProfiles>
  </ClaimsProvider>
</ClaimsProviders>

上一示例中设置了以下值:The following values are set in the previous example:

  • 访问令牌生存期 - 访问令牌生存期值是通过 token_lifetime_secs 元数据项设置的。Access token lifetimes - The access token lifetime value is set with token_lifetime_secs metadata item. 默认值为 3600 秒(60 分钟)。The default value is 3600 seconds (60 minutes).

  • ID 令牌生存期 - ID 令牌生存期值是通过 id_token_lifetime_secs 元数据项设置的。ID token lifetime - The ID token lifetime value is set with the id_token_lifetime_secs metadata item. 默认值为 3600 秒(60 分钟)。The default value is 3600 seconds (60 minutes).

  • 刷新令牌生存期 - 刷新令牌生存期值是通过 refresh_token_lifetime_secs 元数据项设置的。Refresh token lifetime - The refresh token lifetime value is set with the refresh_token_lifetime_secs metadata item. 默认值为 1209600 秒(14 天)。The default value is 1209600 seconds (14 days).

  • 刷新令牌滑动窗口生存期 - 若要为刷新令牌设置滑动窗口生存期,请设置 rolling_refresh_token_lifetime_secs 元数据项的值。Refresh token sliding window lifetime - If you would like to set a sliding window lifetime to your refresh token, set the value of rolling_refresh_token_lifetime_secs metadata item. 默认值为 7776000(90 天)。The default value is 7776000 (90 days). 如果不想强制实施滑动窗口生存期,请将此项替换为 <Item Key="allow_infinite_rolling_refresh_token">True</Item>If you don't want to enforce a sliding window lifetime, replace the item with <Item Key="allow_infinite_rolling_refresh_token">True</Item>.

  • 颁发者 (iss) 声明 - 颁发者 (iss) 声明是通过 IssuanceClaimPattern 元数据项设置的。Issuer (iss) claim - The Issuer (iss) claim is set with the IssuanceClaimPattern metadata item. 适用的值为 AuthorityAndTenantGuidAuthorityWithTfpThe applicable values are AuthorityAndTenantGuid and AuthorityWithTfp.

  • 设置声明表示策略 ID - 用于设置此值的选项为 TFP(信任框架策略)和 ACR(身份验证上下文引用)。Setting claim representing policy ID - The options for setting this value are TFP (trust framework policy) and ACR (authentication context reference). TFP 是建议使用的值。TFP is the recommended value. AuthenticationContextReferenceClaimPattern 设置为值 NoneSet AuthenticationContextReferenceClaimPattern with the value of None.

    在 ClaimsSchema 元素中,添加此元素:In the ClaimsSchema element, add this element:

    <ClaimType Id="trustFrameworkPolicy">
      <DisplayName>Trust framework policy name</DisplayName>
      <DataType>string</DataType>
    </ClaimType>
    

    在 OutputClaims 元素中,添加此元素:In your OutputClaims element, add this element:

    <OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
    

    对于 ACR,请删除 AuthenticationContextReferenceClaimPattern 项。For ACR, remove the AuthenticationContextReferenceClaimPattern item.

  • 使用者 (sub) 声明 - 此选项默认为 ObjectID,如果要将此设置切换为 Not Supported,请替换以下行:Subject (sub) claim - This option defaults to ObjectID, if you would like to switch this setting to Not Supported, replace this line:

    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
    

    替换为以下代码行:with this line:

    <OutputClaim ClaimTypeReferenceId="sub" />
    

后续步骤Next steps