如何配置 Azure AD Oauth2 在登录时返回所有用户组
[英]How to configure Azure AD Oauth2 to return all user groups on login
问题描述
I have an AD registered application which has an integration with Azure AD for SSO.
我有一个 AD 注册应用程序,它与 SSO 的 Azure AD 集成。 It uses the Oauth2 strategy, by using the omniauth-azure-activedirectory-v2 gem.它通过使用omniauth-azure-activedirectory-v2 gem 使用 Oauth2 策略。
I want to map a users security groups to my applications authorization model and for this I need the names of the security groups.我想要 map 一个用户安全组到我的应用程序授权 model 为此我需要安全组的名称。
I want to reliably get a users security groups and the group names on login and I'm not able to.我想在登录时可靠地获取用户安全组和组名,但我做不到。 I get them sometimes correctly, sometimes in a uuid format and sometimes not at all.我有时正确地得到它们,有时以 uuid 格式得到它们,有时根本没有。
I have an optional group claim set up for my application in Token Configuration and configured to return sam_account_name for all attached groups.我在Token Configuration中为我的应用程序设置了一个可选的组声明,并配置为为所有附加组返回sam_account_name 。
This seems to work fine for some clients, the groups are returned as for example "Admin_APP", but for others I seem to have the following issues:这对于某些客户来说似乎工作正常,这些组返回为例如“Admin_APP”,但对于其他人我似乎有以下问题:
- A Users groups are returned but only as a ID(
c5bb3738-59f1-4718-b34c-2dfac761e023), even tough I requested the name.返回用户组,但仅作为 ID( c5bb3738-59f1-4718-b34c-2dfac761e023)返回,即使我请求了名称。 - A User has "readable groups" but not all assigned in AD, some are missing.用户有“可读组”,但并非全部分配在 AD 中,有些丢失了。
Is this a configuration on my application side or should the organization adding my application to their AD configure their groups or my application?这是我的应用程序端的配置,还是应该将我的应用程序添加到他们的 AD 的组织配置他们的组或我的应用程序? Or should I not rely on the token cliam at all and fetch the groups using the GraphQL API Azure offers?还是我根本不应该依赖令牌 cliam 并使用 GraphQL API Azure 报价获取组?
I noticed when adding the application myself I need to give permissions for my user.profile but it doesn't show allowable permissions for groups.我注意到在自己添加应用程序时我需要为我的 user.profile 授予权限,但它没有显示允许的组权限。 Also in the Enterprise application tab for the organization under permissions I can't seem to find the group claim I added.同样在permissions下的组织的企业应用程序选项卡中,我似乎找不到我添加的组声明。 Only openid , profile and email .只有openid 、 profile和email 。
1 个解决方案
解决方案1
1 2023-01-27 11:25:30
I tried to reproduce the same in my environment and got the results like below:我尝试在我的环境中重现相同的内容并得到如下结果:
I configured the Optional claims in Azure AD Application:我在 Azure AD 应用程序中配置了可选声明:
I generated the access token via Postman by using below parameters:我使用以下参数通过 Postman 生成了访问令牌:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:user.read openid
grant_type:authorization_code
redirect_uri:redirectUri
code:code
When I decoded the token, I got the Group IDs instead of Group Name like below:当我解码令牌时,我得到的是Group IDs而不是组名称,如下所示:
Note that: If you are configuring sAMAccountName as the claim value in the token, then it only returns the Group which is synced from on-premises AD.请注意:如果您将sAMAccountName配置为令牌中的声明值,则它只会返回从本地 AD 同步的组。 By default, Group ObjectID is returned in the group claim value.默认情况下,Group ObjectID在组声明值中返回。
By default , groups emitted in a token is limited to 150 for SAML assertions and 200 for JWT.
I agree with junnas , you can make use of Graph API to get the user groups like below:我同意junnas ,你可以利用 Graph API 来获取如下用户组:
https://graph.microsoft.com/v1.0/users/UserID/memberOf
To get the only list of security groups user belongs to, you can make use of below query:要获取用户所属的唯一安全组列表,您可以使用以下查询:
https://graph.microsoft.com/v1.0/users/UserID/memberOf?Filter("mailEnabled eq false and securityEnabled eq true")
References:参考:
List a user's direct memberships - Microsoft Graph v1.0 | 列出用户的直接成员资格 - Microsoft Graph v1.0 | Microsoft Learn 微软学习
How to get groups to appear as claims in the access_token by AmanpreetSingh-MSFT 如何让组在 amanpreetSingh-MSFT 的 access_token 中显示为声明
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.