AAD发行的JWT令牌中缺少角色声明 [英] Missing role claims in JWT Token issued by AAD
问题描述
我正在使用Micrsoft Graph API以编程方式注册客户端应用程序,资源服务器,并将角色从资源服务器分配给客户端应用程序。遵循的步骤如下:
I am using Micrsoft Graph APIs to programatically register a client app, resource server and assign role from the resource server to the client app. Here are the steps followed:
-
获取访问令牌-> https://login.windows.net/ /oauth2/token/?api-version=1.6
Get Access Token --> https://login.windows.net//oauth2/token/?api-version=1.6
客户端应用程序注册-> https://graph.windows.net/ / applications /? api-version = 1.6
Client App Registration --> https://graph.windows.net//applications/?api-version=1.6
客户端服务主体
使用以下应用程序注册资源服务器清单中的角色:
Resource Server Registration with below app role in manifest:
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Description of Role - Resource_API_11092017",
"displayName": "Role_Resource_API_11092017",
"id": "5ff0033d-fa87-4a77-9b3d-b4b201dfc32e",
"isEnabled": true,
"value": "Read_Only_Resource_API_11092017"
}
],
资源服务器服务ice主体创建
Resource Server Service Principal creation
将角色分配给客户端应用。
Assigning Role to client App.
当我尝试使用客户端应用程序的凭据获取访问令牌时,我没有在JWT中获得任何角色,也没有获得资源服务器的任何信息。
When i am trying to get the access token using the credentials of the client app, I am not getting any roles in the JWT nor any information of the resource server.
我什至从客户端应用程序中的门户授予资源服务器角色的权限。但是仍然没有运气。
I even Grant Permission from the portal in the client app to the role of the resource server. But still no luck.
任何帮助将不胜感激。让我知道是否需要更多详细信息。
Any help will be appreciated. Let me know if you need more details.
谢谢。
@ 2017年11月14日更新:
@Update on 11/14/2017:
请找到JWT的有效载荷。
Please find the Payload of the JWT.
{
aud: https://xxxxx.onmicrosoft.com/Resource_API_11092017,
iss: https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bd0e22a6/,
iat:1510679930,
nbf:1510679930,
exp:1510683830,
aio: Y2NgYLipff1Ghn65atEd97grbjxxxx ==,
appid: 3ec8690d-xxxx-xxxx-xxxx-739709a758cc,
appidacr: 1,
idp: https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx -bba4bd0e22a6 /,
tid: caa4bd37-xxxx-xxxx-xxxx-bba4bd0e22a6,
ver: 1.0
}
服务主体中不包含任何角色。但是我已经使用门户网站将Role_Assigned_API_11092017分配为应用程序权限。此Role_Assigned_API_11092017在资源应用程序Resource_API_11092017中定义为Role。
{
"aud": "https://xxxxx.onmicrosoft.com/Resource_API_11092017",
"iss": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bd0e22a6/",
"iat": 1510679930,
"nbf": 1510679930,
"exp": 1510683830,
"aio": "Y2NgYLipff1Ghn65atEd97grbjxxxx==",
"appid": "3ec8690d-xxxx-xxxx-xxxx-739709a758cc",
"appidacr": "1",
"idp": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bd0e22a6/",
"tid": "caa4bd37-xxxx-xxxx-xxxx-bba4bd0e22a6",
"ver": "1.0"
}
The service principal does not contain any Role in it. But I have assigned the Role_Assigned_API_11092017 as Application Permissions using portal. This Role_Assigned_API_11092017 is defined as Role in the resource app Resource_API_11092017.
通过门户网站从Resource_API_11092017授予权限。
Permissions are granted from the Resource_API_11092017 through Portal.
推荐答案
I能够获得令牌中的角色声明。如果希望客户端应用程序在资源应用程序中定义角色,请按照以下步骤操作。
1。创建客户端应用。
2.创建客户端应用程序的服务主体。
3.创建角色定义为 appRoles的资源应用程序:[{
allowedMemberTypes:[
Application
],
4.创建服务主体用于资源应用程序。
5.使用资源应用程序中定义的角色修补客户端应用程序和资源应用程序。 -在客户端应用程序
的必需的权限部分中允许角色。6.通过azure门户通过您的管理员帐户登录客户端应用程序,授予权限
除了步骤6之外,所有其他操作都可以使用Microsoft Graph API使用具有足够权限在目录中注册应用程序的应用程序的访问令牌来完成。
如果任何人都具有来自客户端应用程序的授予权限操作的相应API。请告诉我。目前,我们正在采取手动操作。
谢谢。
I was able to get role claims in the token. Here are the steps you need to follow if you want your client app to have roles defined in the resource app.
1. Create client App.
2. Create service principal of the client app.
3. Create resource app with roles defined as "appRoles": [{
"allowedMemberTypes": [
"Application"
],
4.Create service principal for the resource app.
5. Patch the client app and resource app with the roles defined in the resource app. - Allow Roles in the Required Permission section of the client app
6. Grant permission on the client app logging through your admin account from azure portal
Apart from step 6, everything can done using Microsoft Graph API using access token of an app which is having adequate permissions to register app in your directory.
If anyone is having corresponding API for Grant Permission action from the client app. Please let me know. For now we are taking this a manual step.
Thanks.
{
"aud": "https://xxxxxxx.onmicrosoft.com/resource_app_11202017",
"iss": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bdxxxxa6/",
"iat": 1511209576,
"nbf": 1511209576,
"exp": 1511213476,
"aio": "Y2xxxxBlVE3nxxxxHtx3xSxxxxLAQ==",
"appid": "dffe69ef-xxxx-xxxx-xxxx-3550bxxxxbd7",
"appidacr": "1",
"idp": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bdxxxxa6/",
"oid": "f2af0608-xxxx-xxxx-xxxx-a5acacxxxx8d",
"roles": [
"readonly_role_resource_app_11202017",
"writeonly_role_resource_app_11202017"
],
"sub": "f2af0608-xxxx-xxxx-xxxx-a5acacxxxx8d",
"tid": "caa4bd37-xxxx-xxxx-xxxx-bba4bdxxxxa6",
"uti": "VW6inKHUI0SgkuNMi6AcAA",
"ver": "1.0"
}
这篇关于AAD发行的JWT令牌中缺少角色声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
