在 Azure Active Directory B2C 中使用自定义策略管理 SSO 和令牌自定义Manage SSO and token customization using custom policies in Azure Active Directory B2C

本文提供了有关在 Azure Active Directory B2C (Azure AD B2C) 中如何使用自定义策略管理令牌、会话和单一登录 (SSO) 配置的信息。This article provides information about how you can manage your token, session, and single sign-on (SSO) configurations using custom policies in Azure Active Directory B2C (Azure AD B2C).

JWT 令牌生存期和声明配置JWT token lifetimes and claims configuration

若要更改令牌生存期的设置,需要在想要影响的策略的信赖方文件中添加 ClaimsProviders 元素。To change the settings on your token lifetimes, you add a ClaimsProviders element in the relying party file of the policy you want to impact. ClaimsProviders 元素是 TrustFrameworkPolicy 元素的子代。The ClaimsProviders element is a child of the TrustFrameworkPolicy element.

在信赖方文件的 BasePolicy 元素和 RelyingParty 元素之间插入 ClaimsProviders 元素。Insert the ClaimsProviders element between the BasePolicy element and the RelyingParty element of the relying party file.

在该元素中,需要放置影响令牌生存期的信息。Inside, you'll need to put the information that affects your token lifetimes. XML 如以下示例所示:The XML looks like this example:

<ClaimsProviders>
  <ClaimsProvider>
    <DisplayName>Token Issuer</DisplayName>
    <TechnicalProfiles>
      <TechnicalProfile Id="JwtIssuer">
        <Metadata>
          <Item Key="token_lifetime_secs">3600</Item>
          <Item Key="id_token_lifetime_secs">3600</Item>
          <Item Key="refresh_token_lifetime_secs">1209600</Item>
          <Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
          <Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
          <Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
        </Metadata>
      </TechnicalProfile>
    </TechnicalProfiles>
  </ClaimsProvider>
</ClaimsProviders>

上一示例中设置了以下值:The following values are set in the previous example:

  • 访问令牌生存期 - 访问令牌生存期值是通过 token_lifetime_secs 元数据项设置的。Access token lifetimes - The access token lifetime value is set with token_lifetime_secs metadata item. 默认值为 3600 秒(60 分钟)。The default value is 3600 seconds (60 minutes).

  • ID 令牌生存期 - ID 令牌生存期值是通过 id_token_lifetime_secs 元数据项设置的。ID token lifetime - The ID token lifetime value is set with the id_token_lifetime_secs metadata item. 默认值为 3600 秒(60 分钟)。The default value is 3600 seconds (60 minutes).

  • 刷新令牌生存期 - 刷新令牌生存期值是通过 refresh_token_lifetime_secs 元数据项设置的。Refresh token lifetime - The refresh token lifetime value is set with the refresh_token_lifetime_secs metadata item. 默认值为 1209600 秒(14 天)。The default value is 1209600 seconds (14 days).

  • 刷新令牌滑动窗口生存期 - 若要为刷新令牌设置滑动窗口生存期,请设置 rolling_refresh_token_lifetime_secs 元数据项的值。Refresh token sliding window lifetime - If you would like to set a sliding window lifetime to your refresh token, set the value of rolling_refresh_token_lifetime_secs metadata item. 默认值为 7776000(90 天)。The default value is 7776000 (90 days). 如果不想强制实施滑动窗口生存期,请将此项替换为 <Item Key="allow_infinite_rolling_refresh_token">True</Item>If you don't want to enforce a sliding window lifetime, replace the item with <Item Key="allow_infinite_rolling_refresh_token">True</Item>.

  • 颁发者 (iss) 声明 - 颁发者 (iss) 声明是通过 IssuanceClaimPattern 元数据项设置的。Issuer (iss) claim - The Issuer (iss) claim is set with the IssuanceClaimPattern metadata item. 适用的值为 AuthorityAndTenantGuidAuthorityWithTfpThe applicable values are AuthorityAndTenantGuid and AuthorityWithTfp.

  • 设置声明表示策略 ID - 用于设置此值的选项为 TFP(信任框架策略)和 ACR(身份验证上下文引用)。Setting claim representing policy ID - The options for setting this value are TFP (trust framework policy) and ACR (authentication context reference). TFP 是建议使用的值。TFP is the recommended value. AuthenticationContextReferenceClaimPattern 设置为值 NoneSet AuthenticationContextReferenceClaimPattern with the value of None.

    在 ClaimsSchema 元素中,添加此元素:In the ClaimsSchema element, add this element:

    <ClaimType Id="trustFrameworkPolicy">
      <DisplayName>Trust framework policy name</DisplayName>
      <DataType>string</DataType>
    </ClaimType>
    

    在 OutputClaims 元素中,添加此元素:In your OutputClaims element, add this element:

    <OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
    

    对于 ACR,请删除 AuthenticationContextReferenceClaimPattern 项。For ACR, remove the AuthenticationContextReferenceClaimPattern item.

  • 使用者 (sub) 声明 - 此选项默认为 ObjectID,如果要将此设置切换为 Not Supported,请替换以下行:Subject (sub) claim - This option defaults to ObjectID, if you would like to switch this setting to Not Supported, replace this line:

    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
    

    替换为以下代码行:with this line:

    <OutputClaim ClaimTypeReferenceId="sub" />
    

备注

使用授权代码流和 PKCE 的单页应用程序的刷新令牌生存期始终为 24 小时。Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours. 详细了解浏览器中的刷新令牌的安全影响Learn more about the security implications of refresh tokens in the browser.

向应用提供可选声明Provide optional claims to your app

信赖方策略技术配置文件输出声明是返回到应用程序的值。The Relying party policy technical profile output claims are values that are returned to an application. 添加输出声明时,会在用户旅程成功后向令牌发出声明,然后声明就会被发送到应用程序。Adding output claims will issue the claims into the token after a successful user journey, and will be sent to the application. 修改信赖方部分中的技术配置文件元素,以将所需声明添加为输出声明。Modify the technical profile element within the relying party section to add the desired claims as an output claim.

  1. 打开自定义策略文件。Open your custom policy file. 例如,SignUpOrSignin.xml。For example, SignUpOrSignin.xml.
  2. 查找 OutputClaims 元素。Find the OutputClaims element. 添加要包含在令牌中的 OutputClaim。Add the OutputClaim you want to be included in the token.
  3. 设置输出声明属性。Set the output claim attributes.

下面的示例将添加 accountBalance 声明。The following example adds the accountBalance claim. accountBalance 声明将作为余额发送到应用程序。The accountBalance claim is sent to the application as a balance.

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="givenName" />
      <OutputClaim ClaimTypeReferenceId="surname" />
      <OutputClaim ClaimTypeReferenceId="email" />
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
      <OutputClaim ClaimTypeReferenceId="identityProvider" />
      <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
      <!--Add the optional claims here-->
      <OutputClaim ClaimTypeReferenceId="accountBalance" DefaultValue="" PartnerClaimType="balance" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
  </TechnicalProfile>
</RelyingParty>

OutputClaim 元素包含以下属性:The OutputClaim element contains the following attributes:

  • ClaimTypeReferenceId - 已在策略文件或父策略文件的 ClaimsSchema 节中定义的声明类型的标识符。ClaimTypeReferenceId - The identifier of a claim type already defined in the ClaimsSchema section in the policy file or parent policy file.
  • PartnerClaimType - 允许你更改令牌中的声明的名称。PartnerClaimType - Allows you to change the name of the claim in the token.
  • DefaultValue - 默认值。DefaultValue - A default value. 还可以将默认值设置为声明解析程序,如租户 ID。You can also set the default value to a claim resolver, such as tenant ID.
  • AlwaysUseDefaultValue - 强制使用默认值。AlwaysUseDefaultValue - Force the use of the default value.

后续步骤Next steps