[英]Azure AD access token does not contain groups claim
I'm using curl command to get access token, i'm able to get access token using curl command with client credentials.我正在使用 curl 命令获取访问令牌,我可以使用带有客户端凭据的 curl 命令获取访问令牌。
curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials&client_id={client_id}&client_secret={secret}' https://login.microsoftonline.com/{tentant_id}/oauth2/v2.0/token
But the Access token does not contain group claims.但访问令牌不包含组声明。
How to get groups in the access token..?如何在访问令牌中获取组..? any help is appreciated
任何帮助表示赞赏
You may refer to this document你可以参考这个文件
If you are exposing a Web API using the Expose an API option, then you can also choose the Group ID option under the Access section.
如果您要使用 Expose an API 选项公开 Web API,那么您还可以在 Access 部分下选择 Group ID 选项。
So, when you add groups claims in Token configuration
blade, you need to pick "group id" in "Access"因此,当您在
Token configuration
刀片中添加组声明时,您需要在“访问”中选择“组 ID”
And you also need to check the manifest file of the azure ad app in azure portal, if the groupMembershipClaims
claim has null vaule, you may set it to All
,see this section .您还需要在 azure 门户中检查 azure 广告应用程序的清单文件,如果
groupMembershipClaims
声明具有All
值,请参阅此部分。
If you need to add groups for your azure ad app, go to azure ad -> Enterprise Applications -> find your app -> users and groups如果您需要为您的 azure 广告应用程序添加组,go 到 azure 广告 -> 企业应用程序 -> 找到您的应用程序 -> 用户和组
Then you need to "expose an api", follow this document , then you need to add the api permission in your azure ad application which used to generate access token.然后你需要“公开一个 api”,按照这个文档,然后你需要在你的 azure 广告应用程序中添加 api 权限,用于生成访问令牌。
The screenshot below is an access token generated by ropc flow.下面的截图是 ropc flow 生成的访问令牌。 But actually, I test with client credential flow, I can't get
groups
claim.但实际上,我使用客户凭证流进行测试,我无法获得
groups
声明。 In my opinion, this is because client credential flow is not related to a user, even user groups.在我看来,这是因为客户端凭证流与用户无关,甚至与用户组无关。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.