Azure API管理-范围声明为NULL [英] Azure API Management - Scope Claim NULL
问题描述
在使用Azure注册我开发的API之后,我对SCP声明有疑问.我遵循了各种教程和示例应用程序.一切都可以正确验证,并且我主要可以使用本教程从受信任的子系统调用API方法:
I have a question regarding the SCP claim after using Azure to register an API that I've developed. I've followed various tutorials and sample applications. Everything validates correctly and I'm able to call a API Method from a trusted subsystem using primarily this tutorial: https://github.com/AzureADSamples/WebApp-WebAPI-OAuth2-AppIdentity-DotNet
我遇到的问题是当我尝试验证SCP声明时:
The problem that I'm having is when I try to validate the SCP claim:
Claim scopeClaim = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/scope");
scopeClaim值始终为null.我确实在ClaimsPrincipal.Current对象中看到了索赔,但没有看到Scope.我的理解是,如果我下载清单并在包含应用程序许可的情况下上传清单,它将在API中可用,以验证调用应用程序是否具有正确的作用域.以下是我的应用程序清单(仅限appPermissions):
The scopeClaim value is always null. I do see over claims within the ClaimsPrincipal.Current object but not the Scope. My understanding is that if I download the manifest and upload it with the application permission included it will be available within the API to verify if the calling application has the correct Scope. Below is my application manifest (appPermissions only):
"appPermissions": [
{
"claimValue": "access.fullaccess",
"description": "Allow the application full access to the service on behalf of the signed-in user",
"directAccessGrantTypes": [],
"displayName": "Have full access to the service",
"impersonationAccessGrantTypes": [
{
"impersonated": "User",
"impersonator": "Application"
}
],
"isDisabled": false,
"origin": "Application",
"permissionId": "52966341-1bb5-4e9f-b4f6-46aad4d03b33",
"resourceScopeType": "Personal",
"userConsentDescription": "Allow the application full access to the service on your behalf",
"userConsentDisplayName": "Have full access to the service"
}
]
更新
因此,在进一步尝试并为API创建多个appPermissions并允许客户端Web应用程序选择多个范围"时,返回的JWT不包含任何范围声明.有什么我想念的东西或做不正确吗?
Update
So upon further playing around and creating multiple appPermissions for the API and allowing the client Web Application to choose multiple "Scopes" the JWT returned does not contain any of the Scope Claims. Is there something that I'm missing or not doing correctly?
推荐答案
您在JWT令牌中获得的声明取决于您使用的OAuth流以及您定义的权限.
The claims you get back in the JWT Token depends on the OAuth flow you are using, and on the permissions you have defined.
使用Azure AD实施OAuth时,您将始终(至少)需要在Azure AD中注册两个应用程序:一个API提供程序和一个或多个API使用者.根据您要实现的流程,您还需要用户配合使用.
When using Azure AD to implement OAuth, you will always need (at least) two applications registered with Azure AD: One API Provider, and one or more API Consumers. Depending on which Flow you are implementing, you will also need Users to go with that.
让我们首先选择最简单的情况:客户端凭据流.在CC Flow中,您没有任何用户参与,并且唯一重要的权限是应用程序权限".现在,这有点棘手,它们并没有像scp所声明的那样反映在JWT令牌中,而是反映为包含appRoles的roles(请参见
Let's pick the simplest case first: The Client Credentials Flow. In the CC Flow, you don't have any users involved, and the only permissions which are important are the Application Permissions. Now, and this is a little tricky, those aren't reflected in the JWT Token as scp claims, but rather as a roles containing the appRoles (see documentation) of the Consumer Application. These "App Roles" need to be defined, just like the appPermissions, in the manifest of the API providing application.
仅当您使用还包含用户的流(例如授权代码授予或资源所有者密码授予)时,如果您已使用AD界面定义了相应的权限,则您将在令牌中看到scp声明.
Only if you use a Flow which also contains a User, like the Authorization Code Grant or the Resource Owner Password Grant, you will see the scp claims in your token, if you have defined the corresponding permissions using the AD interface.
这篇关于Azure API管理-范围声明为NULL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
