在 Azure Active Directory B2C 中使用自定义策略将访问令牌传递给应用程序Pass an access token through a custom policy to your application in Azure Active Directory B2C

Azure Active Directory B2C (Azure AD B2C) 中的 custom policy 允许应用程序的用户通过标识提供者进行注册或登录。A custom policy in Azure Active Directory B2C (Azure AD B2C) provides users of your application an opportunity to sign up or sign in with an identity provider. 当发生此行为时,Azure AD B2C 会从标识提供者收到一个访问令牌When this happens, Azure AD B2C receives an access token from the identity provider. Azure AD B2C 使用该令牌来检索有关用户的信息。Azure AD B2C uses that token to retrieve information about the user. 你在自定义策略中添加声明类型和输出声明来将该令牌传递给你在 Azure AD B2C 中注册的应用程序。You add a claim type and output claim to your custom policy to pass the token through to the applications that you register in Azure AD B2C.

Azure AD B2C 支持传递 OAuth 2.0OpenID Connect 标识提供者的访问令牌。Azure AD B2C supports passing the access token of OAuth 2.0 and OpenID Connect identity providers. 对于所有其他标识提供者,声明将返回空白。For all other identity providers, the claim is returned blank.

必备条件Prerequisites

  • 自定义策略使用 OAuth 2.0 或 OpenID Connect 标识提供者进行配置。Your custom policy is configured with an OAuth 2.0 or OpenID Connect identity provider.

添加声明元素Add the claim elements

  1. 打开 TrustframeworkExtensions.xml 文件,向 ClaimsSchema 元素中添加标识符为 identityProviderAccessToken 的以下 ClaimType 元素:Open your TrustframeworkExtensions.xml file and add the following ClaimType element with an identifier of identityProviderAccessToken to the ClaimsSchema element:

    <BuildingBlocks>
      <ClaimsSchema>
        <ClaimType Id="identityProviderAccessToken">
          <DisplayName>Identity Provider Access Token</DisplayName>
          <DataType>string</DataType>
          <AdminHelpText>Stores the access token of the identity provider.</AdminHelpText>
        </ClaimType>
        ...
      </ClaimsSchema>
    </BuildingBlocks>
    
  2. 针对你需要其访问令牌的每个 OAuth 2.0 标识提供者,向 TechnicalProfile 元素中添加 OutputClaim 元素。Add the OutputClaim element to the TechnicalProfile element for each OAuth 2.0 identity provider that you would like the access token for.

  3. 保存 TrustframeworkExtensions.xml 文件。Save the TrustframeworkExtensions.xml file.

  4. 打开你的信赖方策略文件,例如 SignUpOrSignIn.xml,向 TechnicalProfile 中添加 OutputClaim 元素:Open your relying party policy file, such as SignUpOrSignIn.xml, and add the OutputClaim element to the TechnicalProfile:

    <RelyingParty>
      <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
      <TechnicalProfile Id="PolicyProfile">
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="idp_access_token"/>
        </OutputClaims>
        ...
      </TechnicalProfile>
    </RelyingParty>
    
  5. 保存策略文件。Save the policy file.

测试策略Test your policy

在 Azure AD B2C 中测试应用程序时,可以使 Azure AD B2C 令牌返回到 https://jwt.ms 以便能够在其中查看声明,这可能很有用处。When testing your applications in Azure AD B2C, it can be useful to have the Azure AD B2C token returned to https://jwt.ms to be able to review the claims in it.

上传文件Upload the files

  1. 登录 Azure 门户Sign in to the Azure portal.
  2. 请确保使用包含 Azure AD B2C 租户的目录,方法是单击顶部菜单中的“目录 + 订阅”筛选器,然后选择包含租户的目录 。Make sure you're using the directory that contains your Azure AD B2C tenant by clicking the Directory + subscription filter in the top menu and choosing the directory that contains your tenant.
  3. 选择 Azure 门户左上角的“所有服务”,然后搜索并选择“Azure AD B2C” 。Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  4. 选择“标识体验框架” 。Select Identity Experience Framework.
  5. 在“自定义策略”页上,单击“上传策略” 。On the Custom Policies page, click Upload Policy.
  6. 选择“覆盖策略(若存在)”,然后搜索并选择 TrustframeworkExtensions.xml 文件。Select Overwrite the policy if it exists, and then search for and select the TrustframeworkExtensions.xml file.
  7. 选择“上传”。 Select Upload.
  8. 针对信赖方文件(例如 SignUpOrSignIn.xml)重复步骤 5 到 7。Repeat steps 5 through 7 for the relying party file, such as SignUpOrSignIn.xml.

运行策略Run the policy

  1. 打开你更改的策略。Open the policy that you changed. 例如,B2C_1A_signup_signinFor example, B2C_1A_signup_signin.

  2. 对于“应用程序” ,选择你之前注册的应用程序。For Application, select your application that you previously registered. “回复 URL” 应当显示 https://jwt.ms 才能看到以下示例中的令牌。To see the token in the example below, the Reply URL should show https://jwt.ms.

  3. 选择“立即运行” 。Select Run now.

    应会看到类似于以下示例的内容:You should see something similar to the following example:

    jwt.ms 中突出显示了 idp_access_token 块的已解码令牌

后续步骤Next steps

Azure Active Directory B2C 令牌参考中了解有关令牌的更多信息。Learn more about tokens in the Azure Active Directory B2C token reference.