在 Azure AD 中自定义令牌
[英]Customize token in Azure AD
问题描述
I am trying to customize id token in Azure AD..
我正在尝试在 Azure AD 中自定义 ID 令牌。
I did the following steps:我做了以下步骤:
1-Registered Azure AD application 1-注册Azure AD申请
2-Post extension: 2-后扩展:
https://graph.microsoft.com/v1.0/applications/ Object ID /extensionProperties https://graph.microsoft.com/v1.0/applications/ Object ID /extensionProperties
Payload: {"name":"test","dataType":"string","targetObjects":["User"]}有效载荷:{“名称”:“测试”,“数据类型”:“字符串”,“targetObjects”:[“用户”]}
3-Create claim Mapping Policy 3-创建声明映射策略
https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
Payload有效载荷
{"definition":[{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema": [{"Source":"user","ExtensionID":"extension_ Application (client)ID _test","JwtClaimType":"test"}]}}],"displayName":"test","isOrganizationDefault":true} {“定义”:[{“ClaimsMappingPolicy”:{“版本”:1,“IncludeBasicClaimSet”:“真”,“ClaimsSchema”:[{“来源”:“用户”,“ExtensionID”:“extension_Application (客户端) ID _test","JwtClaimType":"test"}]}}],"displayName":"test","isOrganizationDefault":true}
4-Post service principal 4-岗位服务负责人
https: // graph.microsoft.com/v1.0/servicePrincipals/Object ID of the Managed application /claimsMappingPolicies/$ref https:// graph.microsoft.com/v1.0/servicePrincipals/托管应用程序的对象 ID /claimsMappingPolicies/$ref
Payload: {"@odata.id":"https: //graph.microsoft.com/v1.0/policies/claimsMappingPolicies/(The policy Id I got from step 4"}负载:{"@odata.id":"https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/(我从第 4 步得到的策略 ID"}
5- I patched a user 5-我修补了一个用户
https: // graph.microsoft.com/v1.0/users/usreID {"extension_ Application (client)ID _test":"test"} https: // graph.microsoft.com/v1.0/users/usreID {"extension_Application (client)ID _test":"test"}
6- I edited the Mainifest See Mainifest 6- 我编辑了 Mainifest查看 Mainifest
6- I tired to get the ID token for the user I patched in step 5 https://login.microsoftonline.com/**tenant Id**/oauth2/v2.0/token with headers(client_id,client_secret,scope: https://graph.microsoft.com/.default,usernam,password ) 6- 我厌倦了为我在步骤 5 中修补的用户获取 ID 令牌https://login.microsoftonline.com/**tenant Id**/oauth2/v2.0/token with headers(client_id,client_secret,scope: https://graph.microsoft.com/.default,用户名,密码)
7- I decoded the token, I don't see "test" as part of the token 7- 我解码了令牌,我没有看到“测试”是令牌的一部分
Not sure what I am missing here to customize the token不确定我在这里缺少什么来自定义令牌
Screenshot to show that I am missing token configuration in the blade Missing token configuration in the blade显示我在刀片中缺少令牌配置的屏幕截图Missing token configuration in the blade
Screenshot to show that I can't find permission: Directory.AccessAsUser.All显示我找不到权限的屏幕截图:Directory.AccessAsUser.All
1 个解决方案
解决方案1
0 2022-03-10 23:08:38
Once the extension claim setup is done, it can be used to store and retrieve data via graph as extension properties may not passed in id tokens, but can be retrieve by querying the user profile from the Graph.一旦扩展声明设置完成,它就可以用于通过图形存储和检索数据,因为扩展属性可能不会在 id 令牌中传递,但可以通过从图形中查询用户配置文件来检索。 or The application can make use of graph client to pass the extension claims which are not taken from available optional claims from azure ad.或者应用程序可以使用图形客户端来传递扩展声明,这些扩展声明不是从 azure 广告的可用可选声明中获取的。
Please make sure to have the Directory.AccessAsUser.All,Directory.Read.All,openId permissions granted.请确保已授予 Directory.AccessAsUser.All,Directory.Read.All,openId 权限。
Also please check with optional claims set in manifest.
另请检查清单中设置的可选声明。
Then check in token configuration, if it is valid claim.然后检查令牌配置,如果它是有效声明。
References:参考:
- Emitting claims with data from directory schema extension attributes created for an application using Graph 使用 Graph 为应用程序创建的目录架构扩展属性中的数据发出声明
- azure-ad-custom-attributes-and-optional-claims-from-an-asp-dot.net-application azure-ad-custom-attributes-and-optional-claims-from-an-asp-dot.net-application
Edit:update 13/4/2022编辑:更新 13/4/2022
Like you said in comments:就像你在评论中说的:
Like the Most obvious difference now ( Token configuration is not available and api permssion for Directory.AccessAsUser.All is not there)
I tried to check in which way i cannot be able to see those features in Overview blade of AAD portal.我试图检查我无法在 AAD 门户的概览边栏选项卡中看到这些功能的方式。
I had all those features as i was using organizational Azure AD premium 2 licensed tenant.当我使用组织Azure AD premium 2许可租户时,我拥有所有这些功能。
But when i tried to create another tenant with same account and switched tenant to work on it and created an app registration.但是,当我尝试使用相同帐户创建另一个租户并切换租户以在其上工作并创建应用程序注册时。 App registration blade doesn't have the token configuration and api permissions like Directory.AccessAsUser.All as you mentioned.应用注册刀片没有令牌配置和 api 权限,如您提到的 Directory.AccessAsUser.All。
Then i realized its license is azure ad free account.然后我意识到它的许可证是azure ad free帐户。
So from my point of view please try to utilize the pay as you go account or which the organization had been subscribed to premium license which would give a better experience.因此,从我的角度来看,请尝试使用 pay as you go 帐户或组织已订阅高级许可证的帐户,这将提供更好的体验。
Also you can check the ongoing issue here您也可以在此处查看正在进行的问题
Q&A missing-features-in-my-azure-ad-tenant. Q&A missing-features-in-my-azure-ad-tenant。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.