B2C 的 givenName 和 surname 声明有什么特别之处吗? 无法从 OIDC ClaimsProvider 读取它们
[英]Is there something special about B2C's givenName and surname claims? Can't read them from the OIDC ClaimsProvider
问题描述
My OIDC claims provider (Okta) provides the given_name and family_name values to my OIDC test harness app.
我的 OIDC 声明提供程序 (Okta) 向我的 OIDC 测试工具应用程序提供 given_name 和 family_name 值。
My Azure B2C claims provider uses the same scopes as my test app, but I can't get the given_name and family_name to be added to the B2C claim,我的 Azure B2C 声明提供程序使用与我的测试应用程序相同的范围,但我无法将 given_name 和 family_name 添加到 B2C 声明中,
Scopes used when calling Okta CP:调用 Okta CP 时使用的范围:
<Item Key="scope">openid profile email</Item>
OutputClaims mapping in Okta CP: Okta CP 中的 OutputClaims 映射:
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" DefaultValue="default value from input ClaimsProvider: email"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" DefaultValue="default value from input ClaimsProvider: givenName"/>
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" DefaultValue="default value from input ClaimsProvider: surname"/>
This configuration doesn't seem to get the values for these two claims.此配置似乎没有得到这两个声明的值。 It does get the "name" and "email" values, so I feel confident the scopes are being honored.它确实获得了“名称”和“电子邮件”的值,所以我相信范围得到了尊重。 Using DefaultValues to debug, I see this in the Azure SAML test app.使用 DefaultValues 进行调试,我在 Azure SAML 测试应用程序中看到了这一点。
SAML Login Success
Attribute Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress JoeBlow@xyz.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Joe Blow
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname default value from input ClaimsProvider: givenName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname default value from input ClaimsProvider: surname
http://schemas.microsoft.com/identity/claims/userprincipalname JoeBlow@xyz.com
1 个解决方案
解决方案1
0 2022-01-24 10:16:12
Might be to late for the OP, but we just ran into this as well. OP 可能为时已晚,但我们也遇到了这个问题。 It took us quite a while to find a solution.我们花了很长时间才找到解决方案。
- Problem was not (in our case) the Azure AD B2C policy.问题不是(在我们的例子中)Azure AD B2C 政策。
- But instead the issue was with the Azure AD app registration (used for Ms + AAD accounts).但问题在于 Azure AD 应用程序注册(用于 Ms + AAD 帐户)。
-
family_name+given_nameare optional claimsfamily_name+given_name是可选声明
For those claims to be returned two things need to happen:要退回这些索赔,需要做两件事:
- profile scope must be requested必须请求配置文件 scope
- configure the Azure AD app registration to return these 2 optional claims配置 Azure AD 应用注册以返回这 2 个可选声明
- This was the step we were missing这是我们缺少的步骤
- This was the step we were missing
Here is the link to the doc explaining how to ensure an Azure AD app registration returns optional claims (its straight forward and only took 1min todo):以下是文档的链接,解释了如何确保 Azure AD 应用程序注册返回可选声明(它直截了当,只花了 1 分钟的时间):
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims?WT.mc_id=AZ-MVP-5003445#configuring-optional-claims https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims?WT.mc_id=AZ-MVP-5003445#configuring-optional-claims
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.