Azure AD JWT缺少“组"使用本机应用程序类型登录到AAD时的节点 [英] Azure AD JWT missing "groups" node when logging into AAD using a Native app type

问题描述

登录到本机应用程序时获取的JWT不会像登录Web应用程序时获取的JWT那样发出组"节点.

The JWT that is acquired when logging into a Native App does not emit the "groups" node that the JWT that is acquired when logging into a Web App does.

两个应用程序注册均配置为发出组 "groupMembershipClaims":"SecurityGroup"

Both app registrations are configured to emit the groups "groupMembershipClaims": "SecurityGroup"

这是一个隐式拨款方案

推荐答案

更新

这适用于希望以后了解该解决方案的任何人.

This is for anyone looking to understand the solution later.

从@LastTribunal获取更多信息后，结果发现有3个单独的应用程序正在使用(Web应用程序SPA，基于.NET的本机应用程序和Web api).第三个应用程序的清单，即Web API丢失"groupMembershipClaims": "SecurityGroup"

After getting more information from @LastTribunal, it turned out that there were 3 separate applications in use (a web app SPA, a .NET based native app and a web api). Manifest for third app, i.e. the web api was missing "groupMembershipClaims": "SecurityGroup"

底线:即使从本机应用程序获取了令牌来访问Web api，只要正确配置了Web api的清单，访问令牌也将包含组声明.

Bottom line: Even when a token is acquired from a native application to access a web api, as long as the web api's manifest is configured correctly, the access token does include groups claims.

这是@LastTribunal正在关注的示例的链接，该示例对于本机应用程序有问题. 使用交互式身份验证将Azure AD集成到Windows桌面应用程序中

This is a link to the sample that @LastTribunal was following and having issues with for the native application. Integrating Azure AD into a Windows desktop application using interactive authentication

初始答案

您要检查的用户可能是6个或更多组的一部分.对于隐式授权流，如果完整组声明将URI片段扩展到URL长度限制之外，Azure AD将向您发送超额声明，而不是组"声明.

The user you're checking for might be part of 6 or more groups. In case of Implicit grant flows, if the full groups claim would extend the URI fragment beyond the URL length limits, Azure AD sends you an overage claim instead of the "groups" claim.

因此，您可能会通过诸如"hasgroups"或"groups:src1"之类的声明获得超额指示，具体取决于令牌的长度是否有问题.

So you might be getting an overage indicator through a claim like "hasgroups" or "groups:src1" depending on whether length of the token will be an issue or not.

例如对于单页应用程序(SPA)，您将获得"hasgroups"声明，而在使用ADAL.NET库的基于.NET的本机应用程序中，令牌长度不是问题，我已经看到"groups:src" "用于超量显示.

For e.g. In case of Single Page Applications (SPA), you will get back a "hasgroups" claim, while in case of a .NET based native application using ADAL.NET library where token length is not an issue, I have seen "groups:src" being used for overage indication.

基本上，您会得到一个提示，提示用户属于许多组(当前很多表示6个或更多)，并且您必须进行第二次调用以获取有关该用户所属的所有组的信息.

Basically you are given a hint that user is part of a lot of groups (currently lot means 6 or more) and you have to make a second call to get the information about all groups that this user is part of.

Microsoft文档:链接

Microsoft Docs: Link

这篇关于Azure AD JWT缺少“组"使用本机应用程序类型登录到AAD时的节点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！