stackoom
  简体   繁体   中英

Azure AD B2C :: Roles claim is missing in access token

 原文  2020-07-21 12:04:42       azure/ oauth/ azure-ad-b2c

Question

I have two registered applications in Azure AD B2C: azure functions application and frontend spa application. I call azure functions from frontend app and use implicit authorization flow. I use MSAL npm package to request access token.

I followed this article to setup roles for users: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

But access_token I receive in Frontend app is missing "roles" claim, as well as id_token. Here is access token I receive:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}.{
  "iss": "https://<tenant_name>.b2clogin.com/<id>/v2.0/",
  "exp": 1595333452,
  "nbf": 1595329852,
  "aud": "3d6123b2-b436-46c0-bcde-e0b61b0ad827",
  "oid": "e98c46c4-f13d-428e-9b7d-28ba3abeb060",
  "sub": "e98c46c4-f13d-428e-9b7d-28ba3abeb060",
  "name": "Basic User",
  "emails": [
    "basicuser@gmail.com"
  ],
  "tfp": "B2C_1_signin_v2",
  "nonce": "a70eece3-31d2-4cc3-8abb-0a56a95d4ba1",
  "scp": "demo.read",
  "azp": "d7787de1-6642-409f-b0b9-2f5608476367",
  "ver": "1.0",
  "iat": 1595329852
}.[Signature]

Why there are no roles in it?

2 answers

solution1
 2 ACCPTED  2020-07-21 13:26:05

Application roles are not currently supported in Azure AD B2C.

You can raise user voice for your requestAzure feedback portal or vote for an existing one .

For now, you can call MS Graph from AAD B2C custom policy, there is an ability to call APIs in Custom Policy using OAuth client credentials.

You can query the users group membership and then return the data back to B2C policy directly, and issue it into the token

https://docs.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api#oauth2-bearer-authentication

Then use this to get the data from MS Graph

https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange

or

You need to use either groups to manage this, or create an AAD App inside the B2C tenant and do the App Role assignments there. Then during the B2C policy execution, call a REST API to query the roles for the user and insert them into the B2C token. You need to use custom policy for this one. Please refer github sample similar to this

solution2
 1  2020-07-21 13:15:12

As far as I can remember, B2C doesn't support Role claims. I've had to make use of a custom claim in the past and Sven Glöckner has written an article that describes something similar to what I've done.

In my case, I've added the role claim value to default to 'appMember', which was like the main role for a user on the site and if he had a UPN extension of our company, he would get a role like 'internalUser'. This is how we distinguished the permissions that would apply to the security trimming and downstream calls.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AAD B2C - Missing upn claim in access token Azure AD - missing roles claim in the token Azure AD B2C Not getting Access Token Generating access Token with loginRedirect in Azure AD B2C portal Azure AD B2C: AcquireTokenSilentAsync returns empty access token Azure AD B2C how to change the Token exp claim value Azure B2C ROPC token not valid for Microsoft Graph API (missing x5t claim) Azure AD B2C how to configure the "aud" claim Email claim missing in Azure B2C User Flow Azure B2C Authentication (angular + .net core Web API) - Neither scope or roles claim was found in the bearer token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM