[英]ADFS 2016 support for OIDC's `profile` scope?
I am trying to implement a web application using OIDC and the Authorization Code flow.我正在尝试使用 OIDC 和授权代码流来实现 web 应用程序。 I am using the OIDC Core 1.0 specification as a reference for how things should be working.
我使用OIDC Core 1.0 规范作为工作方式的参考。 I am trying to get this working against a Microsoft ADFS 2016 server, which generally claims support for OIDC.
我正在尝试针对 Microsoft ADFS 2016 服务器进行此操作,该服务器通常声称支持 OIDC。
I have managed to get the workflow working for the most part, with one exception.我已经设法让工作流程大部分工作,但有一个例外。 When I call the token endpoint to exchange my authorization code for an
access_token
and an id_token
, I am hoping to get the user's displayable name via the name
claim.当我调用令牌端点以将我的授权代码交换为
access_token
和id_token
时,我希望通过name
声明获取用户的可显示名称。 But that claim is not present in the tokens I receive from ADFS.但我从 ADFS 收到的令牌中不存在该声明。
When I redirect to the ADFS server's authorization endpoint , I pass it scope
values of openid profile
.当我重定向到 ADFS 服务器的授权端点时,我将
scope
的openid profile
值传递给它。 According to section 5.4 of the OIDC specification, the profile
scope should cause the name
claim to be requested.根据 OIDC 规范的第 5.4 节,
profile
scope 应导致请求name
声明。 But I don't receive that claim.但我没有收到这种说法。 I do get a few other claims I could consider using (ie
upn
or unique_name
) but I am trying to be as closely aligned with the standards as I can be.我确实得到了一些我可以考虑使用的其他声明(即
upn
或unique_name
),但我正在努力尽可能地与标准保持一致。
Does this mean that ADFS 2016 is out of compliance with the OIDC specification in this particular area?这是否意味着 ADFS 2016 在该特定领域不符合 OIDC 规范? Or am I mis-reading the sections of the specification that I referenced here?
还是我误读了我在这里引用的规范部分?
The standard claims related to name are typically given_name
and family_name
as covered in Section 18 and I always try to code apps in terms of these values, so your concerns are correct.与名称相关的标准声明通常是第 18 节中介绍的
given_name
和family_name
,我总是尝试根据这些值对应用程序进行编码,因此您的担忧是正确的。
As a consumer you should also be able to choose where these claims are issued.作为消费者,您还应该能够选择发出这些声明的地点。 It is common for providers to not meet standards exactly though, so you may have to adapt your code slightly.
但是,提供者通常不完全符合标准,因此您可能需要稍微调整您的代码。
Here is an MS Article on customizing ADFS claims, though it may not give you a clear sense of how claims should work.这是一篇关于自定义 ADFS 声明的MS 文章,尽管它可能无法让您清楚地了解声明应该如何工作。
FURTHER INFO更多信息
At a high level, here is how OAuth systems are meant to issue claims:概括地说,OAuth 系统是如何发出声明的:
For further info see this article on Personally Identifiable Information (PII) - and see how Claims Mappers work in the Curity system.有关更多信息,请参阅有关个人身份信息 (PII)的这篇文章 - 并了解声明映射器如何在 Curity 系统中工作。
It may be that your ADFS provider doesn't give you full control, but it is worth being aware of the design patterns, and to reduce user info in tokens where you can.可能是您的 ADFS 提供程序没有让您完全控制,但值得了解设计模式,并尽可能减少令牌中的用户信息。
While everything I see points to ADFS 4 on Server 2016 supporting standard OIDC scopes / claims such as email & profile, in practice I was not able to get this to work.虽然我看到的所有内容都指向支持标准 OIDC 范围/声明(如 email 和配置文件)的 Server 2016 上的 ADFS 4,但实际上我无法让它工作。
I did find a work-around:我确实找到了解决方法:
For instance: type "mail" in the left box to select the "Email Address" AD attribute, then type "email" in the right box to send the attribute out as an "email".
例如:在左侧框中键入“邮件”到 select 的“电子邮件地址”AD 属性,然后在右侧框中键入“电子邮件”以将该属性作为“电子邮件”发送出去。
I'm still not sure WHY this doesn't work as intended for me, all of my settings seem correct.我仍然不确定为什么这对我来说不起作用,我的所有设置似乎都是正确的。 I have seen many people asking this question though, so I hope this helps someone else down the line.
不过,我看到很多人问这个问题,所以我希望这对其他人有所帮助。
If anyone has any idea why ADFS 4.0 on Server 2016 isn't working as intended for this, PLEASE let me know in the comments!如果有人知道为什么 Server 2016 上的 ADFS 4.0 没有按预期工作,请在评论中告诉我!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.