Azure AD B2C:: 访问令牌中缺少角色声明
[英]Azure AD B2C :: Roles claim is missing in access token
问题描述
I have two registered applications in Azure AD B2C: azure functions application and frontend spa application.
我在 Azure AD B2C 中有两个注册的应用程序:azure 函数应用程序和前端 spa 应用程序。 I call azure functions from frontend app and use implicit authorization flow.我从前端应用程序调用 azure 函数并使用隐式授权流程。 I use MSAL npm package to request access token.我使用 MSAL npm package 请求访问令牌。
I followed this article to setup roles for users: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps我按照这篇文章为用户设置角色: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
But access_token I receive in Frontend app is missing "roles" claim, as well as id_token.但是我在前端应用程序中收到的 access_token 缺少“角色”声明以及 id_token。 Here is access token I receive:这是我收到的访问令牌:
{
"typ": "JWT",
"alg": "RS256",
"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}.{
"iss": "https://<tenant_name>.b2clogin.com/<id>/v2.0/",
"exp": 1595333452,
"nbf": 1595329852,
"aud": "3d6123b2-b436-46c0-bcde-e0b61b0ad827",
"oid": "e98c46c4-f13d-428e-9b7d-28ba3abeb060",
"sub": "e98c46c4-f13d-428e-9b7d-28ba3abeb060",
"name": "Basic User",
"emails": [
"basicuser@gmail.com"
],
"tfp": "B2C_1_signin_v2",
"nonce": "a70eece3-31d2-4cc3-8abb-0a56a95d4ba1",
"scp": "demo.read",
"azp": "d7787de1-6642-409f-b0b9-2f5608476367",
"ver": "1.0",
"iat": 1595329852
}.[Signature]
Why there are no roles in it?为什么里面没有角色?
2 个解决方案
解决方案1
2 已采纳 2020-07-21 13:26:05
Application roles are not currently supported in Azure AD B2C. Azure AD B2C 目前不支持应用程序角色。
You can raise user voice for your requestAzure feedback portal or vote for an existing one .您可以为您的请求提出用户意见 Azure 反馈门户或投票给现有的门户。
For now, you can call MS Graph from AAD B2C custom policy, there is an ability to call APIs in Custom Policy using OAuth client credentials.目前,您可以从 AAD B2C 自定义策略调用 MS Graph,可以使用 OAuth 客户端凭据调用自定义策略中的 API。
You can query the users group membership and then return the data back to B2C policy directly, and issue it into the token您可以查询用户组成员,然后将数据直接返回给 B2C 策略,并将其发放到令牌中
https://docs.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api#oauth2-bearer-authentication https://docs.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api#oauth2-bearer-authentication
Then use this to get the data from MS Graph然后使用它从 MS Graph 中获取数据
https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange
or或者
You need to use either groups to manage this, or create an AAD App inside the B2C tenant and do the App Role assignments there.您需要使用任一组来管理它,或者在 B2C 租户内创建一个 AAD 应用程序并在那里执行应用程序角色分配。 Then during the B2C policy execution, call a REST API to query the roles for the user and insert them into the B2C token.然后在 B2C 策略执行期间,调用 REST API 以查询用户的角色并将其插入 B2C 令牌中。 You need to use custom policy for this one.您需要为此使用自定义策略。 Please refer github sample similar to this请参考与此类似的github 样品
解决方案2
1 2020-07-21 13:15:12
As far as I can remember, B2C doesn't support Role claims.据我所知,B2C 不支持角色声明。 I've had to make use of a custom claim in the past and Sven Glöckner has written an article that describes something similar to what I've done.我过去不得不使用自定义声明, Sven Glöckner 写了一篇文章,描述了与我所做的类似的事情。
In my case, I've added the role claim value to default to 'appMember', which was like the main role for a user on the site and if he had a UPN extension of our company, he would get a role like 'internalUser'.就我而言,我已将角色声明值添加为默认为“appMember”,这就像网站上用户的主要角色,如果他有我们公司的 UPN 扩展,他将获得类似“internalUser”的角色'。 This is how we distinguished the permissions that would apply to the security trimming and downstream calls.这就是我们区分适用于安全修整和下游调用的权限的方式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.