Azure AD:角色声明在访问令牌中丢失 [英] Azure AD: Roles claims missing in access token
问题描述
对于我的应用程序,我希望用户能够使用其Azure帐户(单一登录)进行登录.我还需要一个访问令牌来访问受保护的后端.
因此,我可以同时获得id_token和access_token以及对此URL的请求:
For my application, I want users to be able to sign in with their Azure Account (Single Sign On). I also need an access token to access the secured backend.
So I can get both, the id_token and the access_token, with a request to this url:
https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token+token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&resource=MY_CLIENT_ID&nonce=SOME_NONCE
这基本上可行,但是我也想在访问令牌(和id令牌)中扮演角色,但是我收到的令牌中不包含角色.
This basically works, but I also want to have the roles in the access token (and in the id token), but the roles are not included in the tokens I receive.
当我使用此网址仅获得一个id_token时,包括了角色声明:
When I use this Url to only get an id_token, the role claims are included:
https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&nonce=SOME_NONCE
区别在于我只请求id_token而不是token,而忽略了resource参数.
The difference is I request only the id_token and not the token and I leave out the resource parameter.
我的问题是:为什么角色要求未包含在第一个请求的令牌中?要获得具有角色声明的id_token和access_token,我有什么选择?
My questions are: Why are the role claims not included in the tokens of the first request? What are my options to get id_token and the access_token with the roles claims?
这是在应用清单中定义应用的方式:
edit: This is how the approles are defined in the app's manifest:
{
"appId": "MY_CLIENT_ID",
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Admin",
"id": "c200e304-fff3-49f1-a4df-e406741ea690",
"isEnabled": true,
"description": "Bla bla",
"value": "admin"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "Reader",
"id": "c534f351-b343-48d0-9dd7-ecb4c5cb402d",
"isEnabled": true,
"description": "Bla bla",
"value": "reader"
}
],
"availableToOtherTenants": false,
...
}
推荐答案
我也可以重现该问题.不确定这是一个错误还是设计使然,我发现此问题仅在我们为应用程序自身获取令牌时才会发生.例如,如果我们用Azure AD Graph替换资源,则可以在id_token中成功发布角色声明.
I can also reproduce the issue. Not sure this a bug or by design and I found this issue only occur when we acquire the token for the app self. For example, if we replace the resource with Azure AD Graph, the role claims could issued in the id_token successfully.
作为解决此问题的方法,建议您在第一个请求中获取id_token.然后,由于用户已经登录,因此可以使用adal库在iframe中获取访问令牌,而无需用户交互.
As a workaround for this issue, I suggest that you acquire the id_token in the first request. And then you can acquire the access token in the iframe using adal library without user interaction since the users already sign-in.
这篇关于Azure AD:角色声明在访问令牌中丢失的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
