| title | description | author | manager | ms.service | ms.topic | ms.date | ms.author | ms.subservice | zone_pivot_groups |
|---|---|---|---|---|---|---|---|---|---|
Set up sign-up and sign-in with a QQ account using Azure Active Directory B2C |
Provide sign-up and sign-in to customers with QQ accounts in your applications using Azure Active Directory B2C. |
garrodonnell |
CelesteDG |
azure-active-directory |
how-to |
09/16/2021 |
godonnell |
b2c |
b2c-policy-type |
[!INCLUDE active-directory-b2c-choose-user-flow-or-custom-policy]
::: zone pivot="b2c-user-flow"
[!INCLUDE active-directory-b2c-public-preview]
::: zone-end
[!INCLUDE active-directory-b2c-customization-prerequisites]
To enable sign-in for users with a QQ account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in QQ developer portal. If you don't already have a QQ account, you can sign up at https://ssl.zc.qq.com.
- Sign in to the QQ developer portal with your QQ account credentials.
- After signing in, go to https://open.qq.com/reg to register yourself as a developer.
- Select 个人 (individual developer).
- Enter the required information and select 下一步 (next step).
- Complete the email verification process. You will need to wait a few days to be approved after registering as a developer.
- Go to https://connect.qq.com/index.html.
- Select 应用管理 (app management).
- Select 创建应用 (create app) and enter the required information.
- For the 授权回调域 (callback URL), enter
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp. If you use a custom domain, enterhttps://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replaceyour-tenant-namewith the name of your tenant, andyour-domain-namewith your custom domain. - Select 创建应用 (create app).
- On the confirmation page, select 应用管理 (app management) to return to the app management page.
- Select 查看 (view) next to the app you created.
- Select 修改 (edit).
- Copy the APP ID and APP KEY. You need both of these values to add the identity provider to your tenant.
::: zone pivot="b2c-user-flow"
- Sign in to the Azure portal.
- If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
- In the Azure portal, search for and select Azure AD B2C.
- Select Identity providers, then select QQ (Preview).
- Enter a Name. For example, QQ.
- For the Client ID, enter the APP ID of the QQ application that you created earlier.
- For the Client secret, enter the APP KEY that you recorded.
- Select Save.
- In your Azure AD B2C tenant, select User flows.
- Click the user flow that you want to add the QQ identity provider.
- Under the Social identity providers, select QQ.
- Select Save.
- To test your policy, select Run user flow.
- For Application, select the web application named testapp1 that you previously registered. The Reply URL should show
https://jwt.ms. - Select the Run user flow button.
- From the sign-up or sign-in page, select QQ to sign in with QQ account.
If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
::: zone-end
::: zone pivot="b2c-custom-policy"
You need to store the client secret that you previously recorded in your Azure AD B2C tenant.
- Sign in to the Azure portal.
- If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
- Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
- On the Overview page, select Identity Experience Framework.
- Select Policy Keys and then select Add.
- For Options, choose
Manual. - Enter a Name for the policy key. For example,
QQSecret. The prefixB2C_1A_is added automatically to the name of your key. - In Secret, enter your client secret that you previously recorded.
- For Key usage, select
Signature. - Click Create.
To enable users to sign in using a QQ account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.
You can define a QQ account as a claims provider by adding it to the ClaimsProviders element in the extension file of your policy.
-
Open the TrustFrameworkExtensions.xml.
-
Find the ClaimsProviders element. If it does not exist, add it under the root element.
-
Add a new ClaimsProvider as follows:
<ClaimsProvider> <Domain>qq.com</Domain> <DisplayName>QQ (Preview)</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="QQ-OAuth2"> <DisplayName>QQ</DisplayName> <Protocol Name="OAuth2" /> <Metadata> <Item Key="ProviderName">qq</Item> <Item Key="authorization_endpoint">https://graph.qq.com/oauth2.0/authorize</Item> <Item Key="AccessTokenEndpoint">https://graph.qq.com/oauth2.0/token</Item> <Item Key="ClaimsEndpoint">https://graph.qq.com/oauth2.0/me</Item> <Item Key="scope">get_user_info</Item> <Item Key="HttpBinding">GET</Item> <Item Key="ClaimsResponseFormat">JsonP</Item> <Item Key="ResponseErrorCodeParamName">error</Item> <Item Key="external_user_identity_claim_id">openid</Item> <Item Key="client_id">Your QQ application ID</Item> </Metadata> <CryptographicKeys> <Key Id="client_secret" StorageReferenceId="B2C_1A_QQSecret" /> </CryptographicKeys> <OutputClaims> <OutputClaim ClaimTypeReferenceId="UserId" PartnerClaimType="openid" /> <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="qq.com" AlwaysUseDefaultValue="true" /> <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" /> </OutputClaims> <OutputClaimsTransformations> <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" /> <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" /> <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" /> <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" /> </OutputClaimsTransformations> <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" /> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider>
-
Set client_id to the application ID from the application registration.
-
Save the file.
[!INCLUDE active-directory-b2c-add-identity-provider-to-user-journey]
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
...
<ClaimsProviderSelection TargetClaimsExchangeId="QQExchange" />
</ClaimsProviderSelections>
...
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
...
<ClaimsExchanges>
<ClaimsExchange Id="QQExchange" TechnicalProfileReferenceId="QQ-OAuth2" />
</ClaimsExchanges>
</OrchestrationStep>[!INCLUDE active-directory-b2c-configure-relying-party-policy]
- Select your relying party policy, for example
B2C_1A_signup_signin. - For Application, select a web application that you previously registered. The Reply URL should show
https://jwt.ms. - Select the Run now button.
- From the sign-up or sign-in page, select QQ to sign in with QQ account.
If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
::: zone-end