AAD组声称某些用户在JWT令牌中丢失 [英] AAD groups claim missing in JWT token for some users
问题描述
我在AAD上遇到一些奇怪的行为.用户成功登录后,我们会在API调用中获得某些用户的未授权权限.事实证明,JWT中的一项索赔丢失了.一些用户正在获得组"声明(他所属的所有groupId的数组),而某些用户正在获得"hasgroups"声明(如果用户具有组,则为布尔值,没有ID).由于我们的API应用正在检查此组"声明的授权,因此没有此组"声明的用户将获得403.
I'm experiencing some strange behavior on our AAD. After a user signed in successful, we're getting an unauthorized for some users on our API calls. Turns out that a claim in the JWT is missing. Some users are getting the "groups" claim (array of all groupIds he belongs to) and some are getting the "hasgroups" claim (a boolean if the user has groups, no Ids). As our API app is checking this "groups" claim for authorization, the users who don't have this "groups" claim are getting a 403.
尽管如此,在应用程序注册清单中,我将"groupMembershipClaims"从"null"设置为"All"或"SecurityGroup",这两种方法都可以解决.当我们正在使用使用OAuth2的Angular应用程序时,还要将"oauth2AllowImplicitFlow"设置为true.接下来,我比较了几乎所有用户设置,除了一些额外的组外,其他用户都是相同的.受影响的用户没有很多组,有些甚至最多有五个组.
Nevertheless, in the manifest of the app registration I set the "groupMembershipClaims" from "null" to "All" or "SecurityGroup", which should do both the trick. Also set the "oauth2AllowImplicitFlow" to true as we're working with an Angular app which uses OAuth2. Next to that I've compared almost all users settings and apart from some extra groups the users are identical. The affected users don't have a lot of groups, some have even around the 5 groups at max.
我是否忽略了某些原因或导致索赔差异的原因?我该如何解决这个问题,以便所有用户都能获得组"声明?
Do I overlook something or what's causing this difference in claims? How can I solve this so all users are getting the "groups" claim?
推荐答案
从MSFT内部获取了以下反馈:
Got this feedback from MSFT internals:
在隐式流程中,oauth将直接从 通过查询字符串参数进行初始/授权调用. http规范 限制查询字符串/网址的长度,因此,如果AAD检测到 结果URI将超过此长度,它们将替换组 具有hasGroups声明.
In the implicit flow, oauth will return the Jwt directly from the intial /authorize call through a query string param. The http spec limits the length of a query string / url, so if AAD detects that the resulting URI would be exceeding this length, they replace the groups with the hasGroups claim.
还有这个
这是设计使然,使用隐式授予流时,无论 清单中的"groupMembershipClaims"设置.避免去 超过浏览器的URL长度限制,因为令牌作为 URI片段.因此,大约有4个用户的组成员身份后, 您会在令牌中获得"hasgroups:true".您可以做的是 单独调用Graph API以查询用户组 成员身份.
This is by design when using implicit grant flow, regardless the "groupMembershipClaims" setting in the manifest. It's to avoid to go over the URL length limit of the browser as the token is returned as a URI fragment. So, more or less after 4 user's groups membership, you'll get "hasgroups:true" in the token. What you can do is to make a separate call to the Graph API to query for the user's group membership.
因此,将需要对Graph API进行一次额外的往返操作才能获取用户组.希望这对其他人也有帮助.
So will need to do an extra roundtrip to Graph API in order to get the user groups. Hope this helps others too.
这篇关于AAD组声称某些用户在JWT令牌中丢失的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
