Azure AD-令牌中缺少角色声明 [英] Azure AD - missing roles claim in the token
问题描述
我已经通过Azure Active Directory(AAD)设置了身份验证,并且一切正常(我收到了访问和刷新令牌)。
我已经读过应用角色,我想使用它们(为简单起见,假设我想拥有管理员和用户角色)。我遵循了官方文档(缺少最后一部分。)
2)我分配了角色
3)这是登录网址:
4)这是node.js代码,用于处理auth代码并接收令牌
'p> 5)的令牌用于测试乔(当你在你jwt.io看到角色权利要求不存在检查返回的访问实施例)eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyIsImtpZCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyJ9.eyJhdWQiOiIwMDAwMDA wMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8zOTI2ZjVmNC1jYTYwLTQ2ZGUtYjlmOC03MjYzOWQ1NTIzMmQvIiwiaWF0IjoxNTcxMjMxNjQwLCJuYmYiOjE1NzEyMzE2NDAsImV4cCI6MTU3MTIzNTU0MCwiYWNyIjoiMSIsImFpbyI6IjQyVmdZT0F5czRzdGFOclB0MFNtWUNOZllxamtuczNMcnpYLzhacTY1NjRXaTBuVXdwMEEiLCJhbXIiOlsicHdkIl0sImFwcGlkIjoiZmVhNWQxNjktNTUzNS00YThjLWJhNjEtYmNiMGIyNTEyOWRkIiwiYXBwaWRhY3IiOiIxIiwiaXBhZGRyIjoiOTQuMjMwLjE1MC40IiwibmFtZSI6IlRlc3QgSm9lIiwib2lkIjoiZDU3YjZlNjAtNzVhMC00ODM4LTllYmMtZWM1MzRkYjAyMTM0IiwicHVpZCI6IjEwMDMyMDAwNDhGOEMwNEQiLCJzY3AiOiJVc2VyLlJlYWQiLCJzdWIiOiJURllOclNGT01EcU5kRnBaY25YeGdoRm1GR2IteHFZN3Y2bDh6R1lhRGg4IiwidGVuYW50X3JlZ2lvbl9zY29wZSI6Ik5BIiwidGlkIjoiMzkyNmY1ZjQtY2E2MC00NmRlLWI5ZjgtNzI2MzlkNTUyMzJkIiwidW5pcXVlX25hbWUiOiJ0ZXN0am9lQHNlY3VyaXR5cG9jMTIzNC5vbm1pY3Jvc29mdC5jb20iLCJ1cG4iOiJ0ZXN0am9lQHNlY3VyaXR5cG9jMTIzNC5vbm1pY3Jvc29mdC5jb20iLCJ1dGkiOiJHQUJCYy1TaTBVbXZMMzVBRXk4V0FBIiwidmVyIjoiMS4wIn0.Z8gydgRzEqk9dZ_fxt67iZMwVqu708WrZWJf3_9ydgc9cV0HizECxXxeNuws6Et iQhLxnguOVYKq7s5R2V4AlquAnc75YaMn0mWhZXGEtuVT6T6tldy5GgrbDpJy9eU5Ismo5ppfkcGRkUoJ0lScHeXic1gQ_M_k44e-QXJtMMxr6JdPA9jqixuCMK-84TdbYC1RlJYM47PJfYttWoibI29XsoUU-0ucwcCB8hshZfQRU48LrTlCwmtB-p9rim6E7xLmBxaXMBo99N9AizGJj9jV-rr_bPGXpq8_CQsiF07cKJ51SWe8dbMpCwybKYVVoMc3rsazylKcJzxDp1rD4A
令牌是令牌的访问不是用于您的应用。您要查找的角色应该在id令牌中。
我之所以这么说是因为观众是00000002-0000-0000-c000-000000000000,是内置的API(尽管无法回忆起哪个)。
I've set up authentication through Azure Active Directory (AAD) and everything works fine (I receive my access and refresh tokens).
I've read about app roles and I would like to use them (for simplicity, let's assume I want to have Admin and User roles). I've followed the official documentation (which is missing the last part ..) here.
Unfortunately, the tokens don't contain the 'roles' claim.
Here is my setup in more detail:
1) I have Azure AD app called TestAuthApp and I added roles to the manifest
2) I assigned the roles
3) This is the url for login: https://login.microsoftonline.com/3926f5f4-ca60-46de-b9f8-72639d55232d/oauth2/authorize?client_id=fea5d169-5535-4a8c-ba61-bcb0b25129dd&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A1338%2Fauth
4) And this is the node.js code which handles the auth code and receives the tokens
5) Example of a returned access token for Test Joe (when you check it in jwt.io you see that roles claim is not present) eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyIsImtpZCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8zOTI2ZjVmNC1jYTYwLTQ2ZGUtYjlmOC03MjYzOWQ1NTIzMmQvIiwiaWF0IjoxNTcxMjMxNjQwLCJuYmYiOjE1NzEyMzE2NDAsImV4cCI6MTU3MTIzNTU0MCwiYWNyIjoiMSIsImFpbyI6IjQyVmdZT0F5czRzdGFOclB0MFNtWUNOZllxamtuczNMcnpYLzhacTY1NjRXaTBuVXdwMEEiLCJhbXIiOlsicHdkIl0sImFwcGlkIjoiZmVhNWQxNjktNTUzNS00YThjLWJhNjEtYmNiMGIyNTEyOWRkIiwiYXBwaWRhY3IiOiIxIiwiaXBhZGRyIjoiOTQuMjMwLjE1MC40IiwibmFtZSI6IlRlc3QgSm9lIiwib2lkIjoiZDU3YjZlNjAtNzVhMC00ODM4LTllYmMtZWM1MzRkYjAyMTM0IiwicHVpZCI6IjEwMDMyMDAwNDhGOEMwNEQiLCJzY3AiOiJVc2VyLlJlYWQiLCJzdWIiOiJURllOclNGT01EcU5kRnBaY25YeGdoRm1GR2IteHFZN3Y2bDh6R1lhRGg4IiwidGVuYW50X3JlZ2lvbl9zY29wZSI6Ik5BIiwidGlkIjoiMzkyNmY1ZjQtY2E2MC00NmRlLWI5ZjgtNzI2MzlkNTUyMzJkIiwidW5pcXVlX25hbWUiOiJ0ZXN0am9lQHNlY3VyaXR5cG9jMTIzNC5vbm1pY3Jvc29mdC5jb20iLCJ1cG4iOiJ0ZXN0am9lQHNlY3VyaXR5cG9jMTIzNC5vbm1pY3Jvc29mdC5jb20iLCJ1dGkiOiJHQUJCYy1TaTBVbXZMMzVBRXk4V0FBIiwidmVyIjoiMS4wIn0.Z8gydgRzEqk9dZ_fxt67iZMwVqu708WrZWJf3_9ydgc9cV0HizECxXxeNuws6EtiQhLxnguOVYKq7s5R2V4AlquAnc75YaMn0mWhZXGEtuVT6T6tldy5GgrbDpJy9eU5Ismo5ppfkcGRkUoJ0lScHeXic1gQ_M_k44e-QXJtMMxr6JdPA9jqixuCMK-84TdbYC1RlJYM47PJfYttWoibI29XsoUU-0ucwcCB8hshZfQRU48LrTlCwmtB-p9rim6E7xLmBxaXMBo99N9AizGJj9jV-rr_bPGXpq8_CQsiF07cKJ51SWe8dbMpCwybKYVVoMc3rsazylKcJzxDp1rD4A
The token is an access token that is not for your app. The roles you are looking for should be in the id token.
The reason why I say that is because the audience is 00000002-0000-0000-c000-000000000000, which is a built-in API (can't recall which one though).
这篇关于Azure AD-令牌中缺少角色声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
