PHP Azure OAuth JWT App角色
[英]PHP Azure OAuth JWT App Roles
问题描述
I've created an application in an Azure AD from a manifest with several appRoles inside of it, and I can assign users to these roles. 
我已经在一个包含几个appRoles的清单中在Azure AD中创建了一个应用程序,我可以为这些角色分配用户。 After a user completes the single sign on, returns to my application and I then request a JSON Web Token from their login. 用户完成单点登录后,返回到我的应用程序,然后从登录中请求JSON Web令牌。 The problem is, there are no assigned roles listed in the token I get back from Azure, as it would suggest there's supposed to be here . 问题是,我从Azure回来的令牌中没有列出任何已分配的角色,因为它表明应该在这里 。
Is there a configuration option I'm missing or is there an alternate way to find out their assigned role through the Azure Graph API? 是否存在我缺少的配置选项,或者是否有其他方法可以通过Azure Graph API查找其分配的角色?
Update: 更新:
After specifying the resource as the App ID URI when requesting the authorisation URL I've managed to get a little further. 在请求授权URL时将resource指定为App ID URI后,我设法进一步了解。
I'm now getting back the following error (in the return URL): 我现在回到以下错误(在返回URL中):
"The signed in user '<user email>' is not assigned to a role for the application '<app client id>'."
The user has definitely been assigned a role in the Azure AD control panel for the app, and the app client id in the error message matches the app's client id exactly. 用户肯定已在应用程序的Azure AD控制面板中分配了一个角色,错误消息中的应用程序客户端ID与应用程序的客户端ID完全匹配。
Application config: 应用配置:
User assigned a role: 用户分配了一个角色:
Error message after logging in and returning to app: 登录并返回应用程序后出现错误消息:
3 个解决方案
解决方案1
1 2016-03-28 07:04:07
@Phlip,Could you please try to set your application permission using PowerShell? @ Phlip,您能否尝试使用PowerShell设置应用程序权限?
#1.down load Azure AD powershell and login in using your user in AD
$msolcred=get-credential
connect-msolservice -credential $msolcred
#2. get principal Id
$ClientIdWebApp = '5b597c35-**-**-ad05-***'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
# 3. use Add-MsolRoleMember to add it to “Company Administrator” role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
For more information, please refer to this page: https://msdn.microsoft.com/en-us/library/azure/dn919663.aspx and Use this methods to add member into role: 有关详细信息,请参阅此页面: https : //msdn.microsoft.com/en-us/library/azure/dn919663.aspx并使用此方法将成员添加到角色中:
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "user@contoso.com"
Any updates or results, please let me know. 任何更新或结果,请告诉我。
解决方案2
0 2016-04-05 09:20:26
The below C# code can query the assigned users your application have using AppRoleAssignedTo attribute. 下面的C#代码可以使用AppRoleAssignedTo属性查询应用程序所分配的用户。 I am not family with php, but I believe it has the similar method. 我不是php的家人,但我相信它有类似的方法。 The ActiveDirectoryClient class comes from the Active Directory Graph Client Library . ActiveDirectoryClient类来自Active Directory图形客户端库 。
var Serprincipal = activeDirectoryClient.ServicePrincipals.Where(IServicePrincipal => IServicePrincipal.AppId.Equals("app client id")).ExecuteAsync().Result.CurrentPage.ToList();
var sp = Serprincipal.FirstOrDefault();
var userAssignments = (sp as IServicePrincipalFetcher).AppRoleAssignedTo.ExecuteAsync().Result.CurrentPage.ToList();
foreach (IAppRoleAssignment assignedUser in userAssignments)
{
Console.WriteLine("UserId: {0} Name: {1} ObjectType: {2} ", assignedUser.PrincipalId, assignedUser.PrincipalDisplayName, assignedUser.ObjectType);
}
解决方案3
0 已采纳 2016-04-11 12:43:57
Probably not the answer people want to hear if they're coming across this thread looking for a solution to the issue, but we switched from using OAuth to SAML and we now successfully get app roles in the SAML response. 可能不是人们想要听到的答案,如果他们遇到这个线程寻找问题的解决方案,但我们从使用OAuth切换到SAML,我们现在成功地在SAML响应中获得应用程序角色。
I can only assume the OAuth implementation of app roles on Azure AD is completely broken because we changed nothing except switching to SAML. 我只能假设Azure AD上的应用程序角色的OAuth实现完全被破坏,因为除了切换到SAML之外我们什么都没做。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.