Azure Active Directory B2C 中的用户流User flows in Azure Active Directory B2C

Azure Active Directory B2C (Azure AD B2C) 可扩展的策略框架是服务的核心优势。The extensible policy framework of Azure Active Directory B2C (Azure AD B2C) is the core strength of the service. 策略充分描述了标识体验,例如注册、登录或配置文件编辑。Policies fully describe identity experiences such as sign-up, sign-in, or profile editing. 若要帮助设置最常见的标识任务,Azure AD B2C 门户应包括名为“用户流” 的预定义且可配置的策略。To help you set up the most common identity tasks, the Azure AD B2C portal includes predefined, configurable policies called user flows.

什么是用户流?What are user flows?

用户流可让你通过配置以下设置来控制应用程序的行为:A user flow enables you to control behaviors in your applications by configuring the following settings:

  • 用于登录的帐户类型,例如社交帐户Account types used for sign-in, such as social accounts
  • 从使用者收集的属性,例如名字、邮政编码和鞋码Attributes to be collected from the consumer, such as first name, postal code, and shoe size
  • Azure 多重身份验证Azure Multi-Factor Authentication
  • 用户界面的自定义Customization of the user interface
  • 应用程序接收的信息(令牌中的声明)Information that the application receives as claims in a token

可以在租户中创建多个不同类型的用户流,并根据需要在应用程序中使用它们。You can create many user flows of different types in your tenant and use them in your applications as needed. 可以跨应用程序重复使用用户流。User flows can be reused across applications. 由于这种灵活性,只需对代码做出极少量的更改或根本不需要更改,即可定义和修改标识体验。This flexibility enables you to define and modify identity experiences with minimal or no changes to your code. 应用程序使用包含用户流参数的标准 HTTP 身份验证请求来触发用户流。Your application triggers a user flow by using a standard HTTP authentication request that includes a user flow parameter. 接收自定义令牌作为响应。A customized token is received as a response.

以下示例演示了指定要使用的用户流的“p”查询字符串参数:The following examples show the "p" query string parameter that specifies the user flow to be used:

https://contosob2c.b2clogin.cn/contosob2c.partner.onmschina.cn/oauth2/v2.0/authorize?
client_id=2d4d11a2-f814-46a7-890a-274a72a7309e      // Your registered Application ID
&redirect_uri=https%3A%2F%2Flocalhost%3A44321%2F    // Your registered Reply URL, url encoded
&response_mode=form_post                            // 'query', 'form_post' or 'fragment'
&response_type=id_token
&scope=openid
&nonce=dummy
&state=12345                                        // Any value provided by your application
&p=b2c_1_siup                                       // Your sign-up user flow
https://contosob2c.b2clogin.cn/contosob2c.partner.onmschina.cn/oauth2/v2.0/authorize?
client_id=2d4d11a2-f814-46a7-890a-274a72a7309e      // Your registered Application ID
&redirect_uri=https%3A%2F%2Flocalhost%3A44321%2F    // Your registered Reply URL, url encoded
&response_mode=form_post                            // 'query', 'form_post' or 'fragment'
&response_type=id_token
&scope=openid
&nonce=dummy
&state=12345                                        // Any value provided by your application
&p=b2c_1_siin                                       // Your sign-in user flow

用户流版本User flow versions

Azure 门户中一直在添加新版本的用户流In the Azure portal, new versions of user flows are being added all the time. 当你开始使用 Azure AD B2C 时,系统会建议使用经过测试的用户流。When you get started with Azure AD B2C, tested user flows are recommended for you to use. 创建新用户流时,可从“建议”选项卡中选择所需的用户流。 When you create a new user flow, you choose the user flow that you need from the Recommended tab.

目前建议使用以下用户流:The following user flows are currently recommended:

  • 注册和登录 - 通过一项配置处理注册和登录体验。Sign up and sign in - Handles both of the sign-up and sign-in experiences with a single configuration. 根据上下文将用户引导至正确的路径。Users are led down the right path depending on the context. 建议优先使用此用户流,而不要使用注册用户流或登录用户流。It's recommended that you use this user flow over a sign-up user flow or a sign-in user flow.
  • 个人资料编辑 - 让用户编辑其个人资料信息。Profile editing - Enables users to edit their profile information.
  • 密码重置 - 用于配置是否允许用户重置其密码以及如何重置密码。Password reset - Enables you to configure whether and how users can reset their password.

链接用户流Linking user flows

使用本地帐户的注册或登录用户流在体验的第一个页面上包含“忘记了密码?”链接 。A sign-up or sign-in user flow with local accounts includes a Forgot password? link on the first page of the experience. 单击此链接不会自动触发密码重置用户流。Clicking this link doesn't automatically trigger a password reset user flow.

而是将错误代码 AADB2C90118 返回给应用程序。Instead, the error code AADB2C90118 is returned to your application. 应用程序需要通过运行一个可重置密码的特定用户流来处理此错误代码。Your application needs to handle this error code by running a specific user flow that resets the password. 有关示例,请查看演示用户流链接方法的简单 ASP.NET 示例To see an example, take a look at a simple ASP.NET sample that demonstrates the linking of user flows.

电子邮件地址存储Email address storage

用户流中可能需要电子邮件地址。An email address can be required as part of a user flow. 如果用户使用社交标识提供者进行身份验证,电子邮件地址将存储在 otherMails 属性中。If the user authenticates with a social identity provider, the email address is stored in the otherMails property. 如果本地帐户基于用户名,则电子邮件地址将存储在强身份验证详细信息属性中。If a local account is based on a user name, then the email address is stored in a strong authentication detail property. 如果本地帐户基于电子邮件地址,则电子邮件地址将存储在 signInNames 属性中。If a local account is based on an email address, then the email address is stored in the signInNames property.

不保证在所有这些情况下都会验证电子邮件地址。The email address isn't guaranteed to be verified in any of these cases. 租户管理员可以在本地帐户的基本策略中禁用电子邮件验证。A tenant administrator can disable email verification in the basic policies for local accounts. 即使启用了电子邮件地址验证,但如果地址来自社交标识提供者并且尚未更改,则也不会验证地址。Even if email address verification is enabled, addresses aren't verified if they come from a social identity provider and they haven't been changed.

只有 otherMailssignInNames 属性通过 Microsoft Graph API 公开。Only the otherMails and signInNames properties are exposed through the Microsoft Graph API. 强身份验证详细信息属性中的电子邮件地址不可用。The email address in the strong authentication detail property is not available.

后续步骤Next steps

若要创建建议的用户流,请遵照教程:创建用户流中的说明。To create the recommended user flows, follow the instructions in Tutorial: Create a user flow.