Azure Active Directory B2C 中的用户流User flows in Azure Active Directory B2C

为了帮助给应用程序设置最常见的标识任务,Azure AD B2C 门户中提供了预定义的可配置策略,这些策略被称为“用户流”。To help you set up the most common identity tasks for your applications, the Azure AD B2C portal includes predefined, configurable policies called user flows. 利用用户流,可以确定用户在执行登录、注册、编辑配置文件或重置密码等操作时与应用程序交互的方式。A user flow lets you determine how users interact with your application when they do things like sign in, sign up, edit a profile, or reset a password. 利用用户流,可以控制以下功能:With user flows, you can control the following capabilities:

  • 用于登录的帐户类型,例如社交帐户Account types used for sign-in, such as social accounts
  • 从使用者收集的属性,例如名字、邮政编码和鞋码Attributes to be collected from the consumer, such as first name, postal code, and shoe size
  • Azure 多重身份验证Azure Multi-Factor Authentication
  • 用户界面的自定义Customization of the user interface
  • 应用程序接收的信息(令牌中的声明)Information that the application receives as claims in a token

可以在租户中创建多个不同类型的用户流,并根据需要在应用程序中使用它们。You can create many user flows of different types in your tenant and use them in your applications as needed. 可以跨应用程序重复使用用户流。User flows can be reused across applications. 由于这种灵活性,只需对代码做出极少量的更改或根本不需要更改,即可定义和修改标识体验。This flexibility enables you to define and modify identity experiences with minimal or no changes to your code. 应用程序使用包含用户流参数的标准 HTTP 身份验证请求来触发用户流。Your application triggers a user flow by using a standard HTTP authentication request that includes a user flow parameter. 接收自定义令牌作为响应。A customized token is received as a response.

以下示例演示了指定要使用的用户流的“p”查询字符串参数:The following examples show the "p" query string parameter that specifies the user flow to be used:

https://contosob2c.b2clogin.cn/contosob2c.partner.onmschina.cn/oauth2/v2.0/authorize?
client_id=2d4d11a2-f814-46a7-890a-274a72a7309e      // Your registered Application ID
&redirect_uri=https%3A%2F%2Flocalhost%3A44321%2F    // Your registered Reply URL, url encoded
&response_mode=form_post                            // 'query', 'form_post' or 'fragment'
&response_type=id_token
&scope=openid
&nonce=dummy
&state=12345                                        // Any value provided by your application
&p=b2c_1_siup                                       // Your sign-up user flow
https://contosob2c.b2clogin.cn/contosob2c.partner.onmschina.cn/oauth2/v2.0/authorize?
client_id=2d4d11a2-f814-46a7-890a-274a72a7309e      // Your registered Application ID
&redirect_uri=https%3A%2F%2Flocalhost%3A44321%2F    // Your registered Reply URL, url encoded
&response_mode=form_post                            // 'query', 'form_post' or 'fragment'
&response_type=id_token
&scope=openid
&nonce=dummy
&state=12345                                        // Any value provided by your application
&p=b2c_1_siin                                       // Your sign-in user flow

用户流版本User flow versions

Azure AD B2C 包括多种类型的用户流:Azure AD B2C includes several types of user flows:

  • 注册和登录 - 通过一项配置处理注册和登录体验。Sign up and sign in - Handles both of the sign-up and sign-in experiences with a single configuration. 根据上下文将用户引导至正确的路径。Users are led down the right path depending on the context. 还包括单独的“注册”或“登录”用户流 。Also included are separate sign-up or sign-in user flows. 不过我们通常建议使用合并的注册和登录用户流。But we generally recommend the combined sign up and sign in user flow.
  • 个人资料编辑 - 让用户编辑其个人资料信息。Profile editing - Enables users to edit their profile information.
  • 密码重置 - 用于配置是否允许用户重置其密码以及如何重置密码。Password reset - Enables you to configure whether and how users can reset their password.

大多数用户流类型都有“推荐”和“标准”两个版本 。Most user flow types have both a Recommended version and a Standard version. 有关详细信息,请参阅用户流版本For details, see user flow versions.

重要

如果你以前在 Azure AD B2C 中使用过用户流,会发现我们已更改了引用用户流版本的方式。If you've worked with user flows in Azure AD B2C before, you'll notice that we've changed the way we reference user flow versions. 之前,我们提供 V1(生产就绪)版本,还提供了 V1.1 和 V2(预览版)版本。Previously, we offered V1 (production-ready) versions, and V1.1 and V2 (preview) versions. 现在,我们已将用户流合并为两个版本:Now, we've consolidated user flows into two versions:

  • “推荐”用户流是用户流的新预览版本。Recommended user flows are the new preview versions of user flows. 它们已经过全面测试,而且合并了旧版 V2 和 V1.1 版本的所有功能 。They're thoroughly tested and combine all the features of the legacy V2 and V1.1 versions. 今后我们将会维护和更新这些新的推荐用户流。Going forward, the new recommended user flows will be maintained and updated. 转到这些新的推荐用户流后,新功能一经发布你就会有新功能的使用权限。Once you move to these new recommended user flows, you'll have access to new features as they're released.
  • “标准”用户流(以前称为 V1)是正式发布的、可随时用于生产的用户流 。Standard user flows, previously known as V1, are generally available, production-ready user flows. 如果你的用户流是关键任务型,并且依赖高度稳定的版本,则可继续使用标准用户流,只是要知道这些版本将不会得到维护和更新。If your user flows are mission-critical and depend on highly stable versions, you can continue to use standard user flows, realizing that these versions won't be maintained and updated.

所有旧的预览版用户流(V1.1 和 V2)都将在 2021 年 8 月 1 日之前逐渐被弃用。All legacy preview user flows (V1.1 and V2) are on a path to deprecation by August 1, 2021. 强烈建议尽早切换到新的推荐用户流,以便始终能够利用最新功能和更新。Wherever possible, we highly recommend that you switch to the new Recommended user flows as soon as possible so you can always take advantage of the latest features and updates.

链接用户流Linking user flows

使用本地帐户的注册或登录用户流在体验的第一个页面上包含“忘记了密码?”链接。A sign-up or sign-in user flow with local accounts includes a Forgot password? link on the first page of the experience. 单击此链接不会自动触发密码重置用户流。Clicking this link doesn't automatically trigger a password reset user flow.

而是将错误代码 AADB2C90118 返回给应用程序。Instead, the error code AADB2C90118 is returned to your application. 应用程序需要通过运行一个可重置密码的特定用户流来处理此错误代码。Your application needs to handle this error code by running a specific user flow that resets the password. 有关示例,请查看演示用户流链接方法的简单 ASP.NET 示例To see an example, take a look at a simple ASP.NET sample that demonstrates the linking of user flows.

电子邮件地址存储Email address storage

用户流中可能需要电子邮件地址。An email address can be required as part of a user flow. 如果用户使用社交标识提供者进行身份验证,电子邮件地址将存储在 otherMails 属性中。If the user authenticates with a social identity provider, the email address is stored in the otherMails property. 如果本地帐户基于用户名,则电子邮件地址将存储在强身份验证详细信息属性中。If a local account is based on a user name, then the email address is stored in a strong authentication detail property. 如果本地帐户基于电子邮件地址,则电子邮件地址将存储在 signInNames 属性中。If a local account is based on an email address, then the email address is stored in the signInNames property.

不保证在所有这些情况下都会验证电子邮件地址。The email address isn't guaranteed to be verified in any of these cases. 租户管理员可以在本地帐户的基本策略中禁用电子邮件验证。A tenant administrator can disable email verification in the basic policies for local accounts. 即使启用了电子邮件地址验证,但如果地址来自社交标识提供者并且尚未更改,则也不会验证地址。Even if email address verification is enabled, addresses aren't verified if they come from a social identity provider and they haven't been changed.

只有 otherMailssignInNames 属性通过 Microsoft Graph API 公开。Only the otherMails and signInNames properties are exposed through the Microsoft Graph API. 强身份验证详细信息属性中的电子邮件地址不可用。The email address in the strong authentication detail property is not available.

后续步骤Next steps

若要创建建议的用户流,请遵照教程:创建用户流中的说明。To create the recommended user flows, follow the instructions in Tutorial: Create a user flow.