当范围不是 Azure AD 中的 Graph API 时,如何添加自定义声明并检索其作为 access_token 的一部分? [英] How to add a custom claim and retrieve the same as part of access_token, when the scope is not Graph API in Azure AD?
问题描述
我创建了一个 Azure AD Web 应用程序.现在我正在使用以下 API 获取我的 access_token,
发布https://login.microsoftonline.com/{目录(租户)ID}/oauth2/v2.0/token
密码:passclient_id:id资源:https://graph.microsoft.com授予类型:密码客户秘密:秘密用户名:用户名范围:https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXX/.default响应看起来像,
token_type":Bearer",范围":https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXX/myTestRole https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXXX/user_impersonation https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXX/.default",expires_in":3599,ext_expires_in":3599,access_token":accessToken"现在我将 access_token 传递给配置有相同 Azure AD 客户端的第三方应用程序.现在,第三方期望名为 policy":readwrite" 的自定义声明作为 access_token 的一部分传递.我怎样才能达到同样的效果?
请参考以下步骤(您可以在
现在返回到第三方 Azure AD 应用的清单文件.将 acceptMappedClaims 设置为 true 并将 accessTokenAcceptedVersion 设置为 2.
然后,当我们通过 ROPC 授权流程为第三方应用程序请求访问令牌时,我们可以获得自定义声明.
I have created a Azure AD web application. Now I am getting my access_token using following API,
POST
https://login.microsoftonline.com/{Directory (tenant) ID }/oauth2/v2.0/token
password:pass
client_id:id
resource:https://graph.microsoft.com
grant_type:password
client_secret:secret
sername:userName
scope: https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXX/.default
The response looks like,
"token_type": "Bearer",
"scope": "https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXX/myTestRole https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXXX/user_impersonation https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXX/.default",
"expires_in": 3599,
"ext_expires_in": 3599, "access_token": "acessToken"
Now I am passing the access_token to a third party application which is configured with the same Azure AD client. Now that third party is expecting a custom claim by the name "policy":"readwrite", to be passed as part of access_token. How can I achieve the same?
Please refer to the following steps (You can do the Microsoft Graph operation in Microsoft Graph Explorer for saving time.):
Create an extensionProperty (you could use a new created Azure AD application here):
Post https://graph.microsoft.com/v1.0/applications/{object id of the Azure AD application}/extensionProperties
{"name":"policy","dataType":"string","targetObjects":["User"]}
It will generate an extension property named extension_{client id of the Azure AD application}_policy.
Secondly, you can update the extension property for your account:
Patch https://graph.microsoft.com/v1.0/me
{"extension_6d8190fbf1fe4bc38a5a145520221989_policy":"readwrite"}
Then create a claimsMappingPolicy:
Post https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
{"definition":["{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ExtensionID":"extension_6d8190fbf1fe4bc38a5a145520221989_policy","JwtClaimType":"policy"}]}}"],"displayName":"ExtraClaimsAllen1Example","isOrganizationDefault":true}
Assign the claimsMappingPolicy to a servicePrincipal. Please Note that the servicePrincipal here is the enterprise application which represents your third party application. In your case it is 0a7c94a0-0c4e-4f95-ba06-XXXX.
Post https://graph.microsoft.com/v1.0/servicePrincipals/{obeject id of the servicePrincipal which represents your third party application}/claimsMappingPolicies/$ref
{"@odata.id":"https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/{policy id from the previous step}"}
You could find the servicePrincipal from Azure Portal -> Azure Active Directory -> App registrations -> find your third party Azure AD app -> Overview -> click on the name of its associated service principal.
Now go back to the manifest file of the third party Azure AD app. Set acceptMappedClaims to true and accessTokenAcceptedVersion to 2.
Then when we request an access token for the third party application with ROPC grant flow, we can get the custom claim.
这篇关于当范围不是 Azure AD 中的 Graph API 时,如何添加自定义声明并检索其作为 access_token 的一部分?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
