我想知道 Azure AB B2C 是否可以拒绝包含用户名字、姓氏、名字、用户名和可能的字典单词的密码。我已遵循并实施了策略中设置自定义密码验证器的说明 https://learn.microsoft.com/en-us/azure/active-directory-b2c/password-complexity?pivots=b2c-custom-政策.
B2C 租户配置或策略配置本身不支持,但可以使用
ValidationTechnicalProfile
和自定义 REST API。
<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
<DisplayName>Email signup</DisplayName>
...
<OutputClaims>
<!-- claims to be collected from the user -->
...
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="REST-ValidatePassword" />
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
<TechnicalProfile Id="REST-ValidatePassword">
<DisplayName>Validate user input data and return loyaltyNumber claim</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://your-app.azurewebsites.net/api/ValidatePassword</Item>
<Item Key="AuthenticationType">None</Item>
<Item Key="AllowInsecureAuthInProduction">true</Item>
<Item Key="SendClaimsIn">Body</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" />
<InputClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
<InputClaim ClaimTypeReferenceId="givenName" />
<InputClaim ClaimTypeReferenceId="surName" />
</InputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
然后,您的 API 会执行自定义密码检查,例如
if (request.Password.Contains(request.givenName, StringComparison.OrdinalIgnoreCase))
return {{ b2c 409 response }};