堆栈内存溢出
  简体   繁体   English

ADFS 2016 是否支持 OIDC 的“配置文件”scope?

[英]ADFS 2016 support for OIDC's `profile` scope?

 原文  2021-07-14 20:30:19       oauth-2.0/ openid-connect/ adfs4.0

问题描述

I am trying to implement a web application using OIDC and the Authorization Code flow.我正在尝试使用 OIDC 和授权代码流来实现 web 应用程序。 I am using the OIDC Core 1.0 specification as a reference for how things should be working.我使用OIDC Core 1.0 规范作为工作方式参考。 I am trying to get this working against a Microsoft ADFS 2016 server, which generally claims support for OIDC.我正在尝试针对 Microsoft ADFS 2016 服务器进行此操作,该服务器通常声称支持 OIDC。

I have managed to get the workflow working for the most part, with one exception.我已经设法让工作流程大部分工作,但有一个例外。 When I call the token endpoint to exchange my authorization code for an access_token and an id_token , I am hoping to get the user's displayable name via the name claim.当我调用令牌端点以将我的授权代码交换为access_tokenid_token时,我希望通过name声明获取用户的可显示名称。 But that claim is not present in the tokens I receive from ADFS.但我从 ADFS 收到的令牌中不存在该声明。

When I redirect to the ADFS server's authorization endpoint , I pass it scope values of openid profile .当我重定向到 ADFS 服务器的授权端点时,我将scopeopenid profile值传递给它。 According to section 5.4 of the OIDC specification, the profile scope should cause the name claim to be requested.根据 OIDC 规范的第 5.4 节profile scope 应导致请求name声明。 But I don't receive that claim.但我没有收到这种说法。 I do get a few other claims I could consider using (ie upn or unique_name ) but I am trying to be as closely aligned with the standards as I can be.我确实得到了一些我可以考虑使用的其他声明(即upnunique_name ),但我正在努力尽可能地与标准保持一致。

Does this mean that ADFS 2016 is out of compliance with the OIDC specification in this particular area?这是否意味着 ADFS 2016 在该特定领域不符合 OIDC 规范? Or am I mis-reading the sections of the specification that I referenced here?还是我误读了我在这里引用的规范部分?

2 个解决方案

解决方案1
 1 已采纳  2021-07-14 21:54:44

The standard claims related to name are typically given_name and family_name as covered in Section 18 and I always try to code apps in terms of these values, so your concerns are correct.与名称相关的标准声明通常是第 18 节中介绍的given_namefamily_name ,我总是尝试根据这些值对应用程序进行编码,因此您的担忧是正确的。

As a consumer you should also be able to choose where these claims are issued.作为消费者,您还应该能够选择发出这些声明的地点。 It is common for providers to not meet standards exactly though, so you may have to adapt your code slightly.但是,提供者通常不完全符合标准,因此您可能需要稍微调整您的代码。

Here is an MS Article on customizing ADFS claims, though it may not give you a clear sense of how claims should work.这是一篇关于自定义 ADFS 声明的MS 文章,尽管它可能无法让您清楚地了解声明应该如何工作。

FURTHER INFO更多信息

At a high level, here is how OAuth systems are meant to issue claims:概括地说,OAuth 系统是如何发出声明的:

  • User authenticates (and may also grant consent)用户进行身份验证(也可以授予同意)
  • Authorization Server records this 'delegation' in its database, along with the associated claims and scopes授权服务器在其数据库中记录此“委托”以及相关的声明和范围
  • Apps can control how and where the claims are exposed, eg which tokens or endpoints include them应用程序可以控制声明的公开方式和位置,例如哪些令牌或端点包含它们

For further info see this article on Personally Identifiable Information (PII) - and see how Claims Mappers work in the Curity system.有关更多信息,请参阅有关个人身份信息 (PII)的这篇文章 - 并了解声明映射器如何在 Curity 系统中工作。

It may be that your ADFS provider doesn't give you full control, but it is worth being aware of the design patterns, and to reduce user info in tokens where you can.可能是您的 ADFS 提供程序没有让您完全控制,但值得了解设计模式,并尽可能减少令牌中的用户信息。

解决方案2
 0  2022-09-26 21:15:21

While everything I see points to ADFS 4 on Server 2016 supporting standard OIDC scopes / claims such as email & profile, in practice I was not able to get this to work.虽然我看到的所有内容都指向支持标准 OIDC 范围/声明(如 email 和配置文件)的 Server 2016 上的 ADFS 4,但实际上我无法让它工作。

I did find a work-around:我确实找到了解决方法:

  1. Make sure you are using the token endpoint (not the userinfo endpoint) in your application.确保您在应用程序中使用令牌端点(而不是 userinfo 端点)。 (if you're setting up a federation from another platform, make sure the userinfo endpoint is not set) (如果您要从另一个平台设置联合,请确保未设置 userinfo 端点)
  2. Open the Web API Properties for your app in ADFS by opening the ADFS Management tool > Select "Application Groups" from the navigation pane > Double-click the name of your app > double-click the name of the associated Web API. Open the Web API Properties for your app in ADFS by opening the ADFS Management tool > Select "Application Groups" from the navigation pane > Double-click the name of your app > double-click the name of the associated Web API.
  3. Select the "Client Permissions" tab, then check the "allatclaims" checkbox in the "Permitted scopes:" section. Select “客户端权限”选项卡,然后选中“允许范围:”部分中的“allatclaims”复选框。
  4. Select the "Issuance Transform Rules" tab, then the "Add Rule..." button (if you have existing rules you can modify them or delete). Select “发行转换规则”选项卡,然后是“添加规则...”按钮(如果您有现有规则,您可以修改或删除它们)。
  5. Select "Send LDAP Attributes as Claims" from the drop-down list, then click the "Next >" button. Select 从下拉列表中“将 LDAP 属性作为声明发送”,然后单击“下一步 >”按钮。
  6. Give the rule any name.给规则起任何名字。
  7. Select your Active Directory from the "Attribute store:" drop-down list. Select 从“属性存储:”下拉列表中选择您的 Active Directory。
  8. Add the attributes you'd like sent with the claims in the "Mapping of LDAP attributes to outgoing claim types:" section... enter the name of the AD attribute you want to send in the left box (you can type to quick-find), then he name you want the outgoing claim to be sent as in the right box.在“将 LDAP 属性映射到传出声明类型:”部分中添加您希望与声明一起发送的属性...在左侧框中输入您要发送的 AD 属性的名称(您可以键入快速-查找),然后他将您希望发送的传出声明命名为右侧框中的名称。

For instance: type "mail" in the left box to select the "Email Address" AD attribute, then type "email" in the right box to send the attribute out as an "email".例如:在左侧框中键入“邮件”到 select 的“电子邮件地址”AD 属性,然后在右侧框中键入“电子邮件”以将该属性作为“电子邮件”发送出去。

  1. When you are finished adding any attributes you would like added click the "Finish" button.当您完成添加任何您想要添加的属性时,单击“完成”按钮。
  2. Next click the "OK" button on the Web API Properties window for your app to save the changes.接下来单击 Web API 属性 window 上的“确定”按钮,以保存更改。
  3. Finally, click the "OK" button on your application group properties.最后,单击应用程序组属性上的“确定”按钮。

I'm still not sure WHY this doesn't work as intended for me, all of my settings seem correct.我仍然不确定为什么这对我来说不起作用,我的所有设置似乎都是正确的。 I have seen many people asking this question though, so I hope this helps someone else down the line.不过,我看到很多人问这个问题,所以我希望这对其他人有所帮助。

If anyone has any idea why ADFS 4.0 on Server 2016 isn't working as intended for this, PLEASE let me know in the comments!如果有人知道为什么 Server 2016 上的 ADFS 4.0 没有按预期工作,请在评论中告诉我!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ADFS2016 SAML2 转 OAUTH2/OIDC - ADFS2016 SAML2 to OAUTH2/OIDC Spring 原生支持 OIDC 工作流程 - Spring native support for OIDC workflow ADFS Server 2016 上关于 Oauth2 的几个问题 - Several question on Oauth2 on ADFS Server 2016 ADAL.JS,ADFS和Windows 2016 - ADAL.JS, ADFS and Windows 2016 在OIDC中,/ token调用是否不需要scope = openid? - In OIDC, is scope=openid not required for /token call? 注销后ADFS 2016 oAuth不会重定向到登录页面 - ADFS 2016 oAuth not redirecting to login page after logout ADFS服务器2016:不支持MSIS9611授予类型 - ADFS Server 2016: MSIS9611 Grant Type not supported 不带OIDC的Identity Server 3 OAuth2支持 - Identity Server 3 OAuth2 support without OIDC ADFS 2016:注销后无法重定向到登录页面 - ADFS 2016: Can not redirect to login page after logout ADFS 2016-OAuth2 SPA-静默获取新令牌 - ADFS 2016 - OAuth2 SPA - Get a new token silently
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM