在 Azure Active Directory B2C 自定义策略中定义 JWT 令牌颁发者的技术配置文件Define a technical profile for a JWT token issuer in an Azure Active Directory B2C custom policy

备注

在 Azure Active Directory B2C 中,custom policies 主要用于解决复杂方案。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大多数情况下,建议使用内置的用户流For most scenarios, we recommend that you use built-in user flows.

Azure Active Directory B2C (Azure AD B2C) 在处理每个身份验证流时颁发多种安全令牌。Azure Active Directory B2C (Azure AD B2C) emits several types of security tokens as it processes each authentication flow. JWT 令牌颁发者的技术配置文件发出返回给信赖方应用程序的 JWT 令牌。A technical profile for a JWT token issuer emits a JWT token that is returned back to the relying party application. 通常,此技术配置文件是用户旅程中的最后一个业务流程步骤。Usually this technical profile is the last orchestration step in the user journey.

协议Protocol

“Protocol”元素的“Name”属性必须设置为 OpenIdConnectThe Name attribute of the Protocol element needs to be set to OpenIdConnect. OutputTokenFormat 元素设置为 JWTSet the OutputTokenFormat element to JWT.

以下示例演示了 JwtIssuer 的技术配置文件:The following example shows a technical profile for JwtIssuer:

<TechnicalProfile Id="JwtIssuer">
  <DisplayName>JWT Issuer</DisplayName>
  <Protocol Name="None" />
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <Metadata>
    <Item Key="client_id">{service:te}</Item>
    <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
    <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
    <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
  </CryptographicKeys>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />
</TechnicalProfile>

输入、输出和保存声明Input, output, and persist claims

InputClaimsOutputClaimsPersistClaims 元素为空或不存在。The InputClaims , OutputClaims , and PersistClaims elements are empty or absent. InutputClaimsTransformationsOutputClaimsTransformations 元素也不存在。The InutputClaimsTransformations and OutputClaimsTransformations elements are also absent.

MetadataMetadata

属性Attribute 必须Required 说明Description
issuer_refresh_token_user_identity_claim_typeissuer_refresh_token_user_identity_claim_type Yes 应在 OAuth2 授权代码和刷新令牌中用作用户标识声明的声明。The claim that should be used as the user identity claim within the OAuth2 authorization codes and refresh tokens. 默认情况下,除非指定了不同的 SubjectNamingInfo 声明类型,否则应将其设置为 objectIdBy default, you should set it to objectId, unless you specify a different SubjectNamingInfo claim type.
SendTokenResponseBodyWithJsonNumbersSendTokenResponseBodyWithJsonNumbers No 始终设置为 trueAlways set to true. 对于以字符串而不是 JSON 数字形式指定数字值的旧格式,请将此属性设置为 falseFor legacy format where numeric values are given as strings instead of JSON numbers, set to false. 依赖于以字符串形式返回此类属性的早期实现的客户端需要此属性。This attribute is needed for clients that have taken a dependency on an earlier implementation that returned such properties as strings.
token_lifetime_secstoken_lifetime_secs No 访问令牌生存期。Access token lifetimes. 用于获取受保护资源的访问权限的 OAuth 2.0 持有者令牌的生存期。The lifetime of the OAuth 2.0 bearer token used to gain access to a protected resource. 默认值为 3,600 秒(1 小时)。The default is 3,600 seconds (1 hour). 最小值为 300 秒(5 分钟)(含)。The minimum (inclusive) is 300 seconds (5 minutes). 最大值为 86,400 秒(24 小时)(含)。The maximum (inclusive) is 86,400 seconds (24 hours).
id_token_lifetime_secsid_token_lifetime_secs No ID 令牌生存期。ID token lifetimes. 默认值为 3,600 秒(1 小时)。The default is 3,600 seconds (1 hour). 最小值为 300 秒(5 分钟)(含)。The minimum (inclusive) is 300 seconds (5 minutes). 最大值为 86,400 秒(24 小时)(含)。The maximum (inclusive) is seconds 86,400 (24 hours).
refresh_token_lifetime_secsrefresh_token_lifetime_secs No 刷新令牌生存期。Refresh token lifetimes. 在应用程序已获取 offline_access 范围的情况下,可以使用某个刷新令牌获取新访问令牌之前所要经过的最长时间段。The maximum time period before which a refresh token can be used to acquire a new access token, if your application had been granted the offline_access scope. 默认值为 120,9600 秒(14 天)。The default is 120,9600 seconds (14 days). 最小值为 86,400 秒(24 小时)(含)。The minimum (inclusive) is 86,400 seconds (24 hours). 最大值为 7,776,000 秒(90 天)(含)。The maximum (inclusive) is 7,776,000 seconds (90 days).
rolling_refresh_token_lifetime_secsrolling_refresh_token_lifetime_secs No 刷新令牌滑动窗口生存期。Refresh token sliding window lifetime. 此时间段过后,会强制用户重新进行身份验证,不考虑该应用程序获取的最近刷新令牌的有效期。After this time period elapses the user is forced to reauthenticate, irrespective of the validity period of the most recent refresh token acquired by the application. 如果不想要实施滑动窗口生存期,请将 allow_infinite_rolling_refresh_token 的值设置为 trueIf you don't want to enforce a sliding window lifetime, set the value of allow_infinite_rolling_refresh_token to true. 默认值为 7,776,000 秒(90 天)。The default is 7,776,000 seconds (90 days). 最小值为 86,400 秒(24 小时)(含)。The minimum (inclusive) is 86,400 seconds (24 hours). 最大值为 31,536,000 秒(365 天)(含)。The maximum (inclusive) is 31,536,000 seconds (365 days).
allow_infinite_rolling_refresh_tokenallow_infinite_rolling_refresh_token No 如果设置为 true,则刷新令牌滑动窗口生存期永不过期。If set to true, the refresh token sliding window lifetime never expires.
IssuanceClaimPatternIssuanceClaimPattern No 控制颁发者 (iss) 声明。Controls the Issuer (iss) claim. 值为下列其中一项:One of the values:
  • AuthorityAndTenantGuid - iss 声明包含域名(例如 login.microsoftonlinetenant-name.b2clogin.cn)和租户标识符 https://login.partner.microsoftonline.cn/00000000-0000-0000-0000-000000000000/v2.0/AuthorityAndTenantGuid - The iss claim includes your domain name, such as login.microsoftonline or tenant-name.b2clogin.cn, and your tenant identifier https://login.partner.microsoftonline.cn/00000000-0000-0000-0000-000000000000/v2.0/
  • AuthorityWithTfp - iss 声明包含域名(例如 login.microsoftonlinetenant-name.b2clogin.cn)、租户标识符和信赖方策略名称。AuthorityWithTfp - The iss claim includes your domain name, such as login.microsoftonline or tenant-name.b2clogin.cn, your tenant identifier and your relying party policy name. https://login.partner.microsoftonline.cn/tfp/00000000-0000-0000-0000-000000000000/b2c_1a_tp_sign-up-or-sign-in/v2.0/https://login.partner.microsoftonline.cn/tfp/00000000-0000-0000-0000-000000000000/b2c_1a_tp_sign-up-or-sign-in/v2.0/
默认值:AuthorityAndTenantGuidDefault value: AuthorityAndTenantGuid
AuthenticationContextReferenceClaimPatternAuthenticationContextReferenceClaimPattern No 控制 acr 声明值。Controls the acr claim value.
  • None - Azure AD B2C 不发出 acr 声明None - Azure AD B2C doesn't issue the acr claim
  • PolicyId - acr 声明包含策略名称PolicyId - the acr claim contains the policy name
用于设置此值的选项为 TFP(信任框架策略)和 ACR(身份验证上下文引用)。The options for setting this value are TFP (trust framework policy) and ACR (authentication context reference). 建议将此值设置为 TFP,若要设置值,请确保存在包含 Key="AuthenticationContextReferenceClaimPattern"<Item>,且值为 NoneIt is recommended setting this value to TFP, to set the value, ensure the <Item> with the Key="AuthenticationContextReferenceClaimPattern" exists and the value is None. 在信赖方策略中,添加 <OutputClaims> 项和此元素 <OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />In your relying party policy, add <OutputClaims> item, add this element <OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />. 另请确保策略包含声明类型 <ClaimType Id="trustFrameworkPolicy"> <DisplayName>trustFrameworkPolicy</DisplayName> <DataType>string</DataType> </ClaimType>Also make sure your policy contains the claim type <ClaimType Id="trustFrameworkPolicy"> <DisplayName>trustFrameworkPolicy</DisplayName> <DataType>string</DataType> </ClaimType>
RefreshTokenUserJourneyIdRefreshTokenUserJourneyId No /token 终结点发送刷新访问令牌 POST 请求期间应执行的用户旅程的标识符。The identifier of a user journey that should be executed during the refresh an access token POST request to the /token endpoint.

加密密钥Cryptographic keys

CryptographicKeys 元素包含以下属性:The CryptographicKeys element contains the following attributes:

属性Attribute 必须Required 说明Description
issuer_secretissuer_secret Yes 用于对 JWT 令牌进行签名的 X509 证书(RSA 密钥集)。The X509 certificate (RSA key set) to use to sign the JWT token.
issuer_refresh_token_keyissuer_refresh_token_key Yes 用于加密刷新令牌的 X509 证书(RSA 密钥集)。The X509 certificate (RSA key set) to use to encrypt the refresh token.

会话管理Session management

若要在 Azure AD B2C 和信赖方应用程序之间配置 Azure AD B2C 会话,请在 UseTechnicalProfileForSessionManagement 元素的属性中添加对 OAuthSSOSessionProvider SSO 会话的引用。To configure the Azure AD B2C sessions between Azure AD B2C and a relying party application, in the attribute of the UseTechnicalProfileForSessionManagement element, add a reference to OAuthSSOSessionProvider SSO session.