问题描述
我正在为我的Angular 6前端应用程序开发Azure AD B2C,并使用Microsoft Graph API来更改传入的用户密码.我正在使用授权码流程获取access_token.
I am working on Azure AD B2C for my Angular 6 front-end App and consuming Microsoft Graph API in order to change the singed-in user's password. I am getting the access_token using the Authorization Code flow.
当用户具有类似[email protected]的用户名时,它工作正常,我得到一个access_token,然后调用https://graph.microsoft.com/v1.0/users/{id}/changePassword.
It works fine when the user has a username like [email protected], I get an access_token and then call https://graph.microsoft.com/v1.0/users/{id}/changePassword.
但是,当我尝试对用户名如[email protected]或[email protected]的用户执行相同操作时,在获取access_token from授权码流(grant_type=password)时出现错误. 注意:这些用户是我的AAD B2C租户中的本地"帐户
But when I try to do the same for users with a username like [email protected] or [email protected], I get an error when acquiring the access_token from Authorization Code flow (grant_type=password). Note: These users are "local" accounts in my AAD B2C tenant
以下是我收到的错误消息:
Following is the error message I get:
{
"error": "invalid_grant",
"error_description": "AADSTS50034: To sign into this application the account must be
added to the myb2cname.onmicrosoft.com directory.
Trace ID: 8fcae061-5088-4393-9e5b-d0a83d1d0a00
Correlation ID: 0dc6c906-c54b-4cd8-ae8b-46f3f6118e40
Timestamp: 2018-08-01 06:16:55Z",
"error_codes": [
50034
],
"timestamp": "2018-08-01 06:16:55Z",
"trace_id": "8fcae061-5088-4393-9e5b-d0a83d1d0a00",
"correlation_id": "0dc6c906-c54b-4cd8-ae8b-46f3f6118e40"
}
对于使用电子邮件身份提供商(登录-注册策略)登录的用户,其用户名看上去像[email protected]的[email protected]或[email protected] instead一样,我该如何呼叫changePassword?
How can I call changePassword for users who are signed in using the email identity provider (SignIn-SignUp Policy) when their username looks like [email protected] or [email protected] instead of [email protected]?
推荐答案
当外部用户登录您的AAD时,它不会使用传统密码创建传统用户,而是创建了来宾"用户.实际用户仍保留在原始AAD租户中,您的AAD租户仅存储该用户的占位符.
When an external user signs into your AAD, it does not create a traditional user with a traditional password, it creates a "guest" user. The actual user remains in the originating AAD tenant, your AAD tenant only stores a placeholder for that user.
您不能更改访客用户的密码,因为您的AAD实际上没有为该用户分配密码.您的AAD拥有授权(用户有权访问的权限),但依赖于用户的AAD进行身份验证(用户就是他们声称的身份).
You cannot change a guest user's password since your AAD doesn't actually have a password assigned to that user. Your AAD holds the authorization (what the user has access to) but relies on the user's AAD for authentication (the user is who they claim to be).
这篇关于尝试使用来自外部域的用户名更改本地Azure AD B2C用户的密码时出现错误AADSTS50034的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!