Azure AD 联合的 ID 令牌不包含“角色";宣称 [英] ID token from Azure AD federation does not contains "roles" claim
问题描述
我创建了一个 Azure B2C 租户,并为 Azure Active Directory (AD) 创建了自定义 IDP.我从 B2C 创建了用户流以联合到 Azure AD 并获取访问令牌.
我遵循的步骤.
- 创建 azure AD 应用程序
- 生成了一个秘密
- 创建自定义角色
- 从 AD 企业应用程序为用户分配自定义角色
- 在 B2C 中创建 IDP
- 创建 B2C 应用
- 创建了登录策略
- 为联合添加了 IDP
- 运行用户流程
- 联盟登录
Azure AD 成功检索到令牌 (idp_access_token) 作为联合的结果.但问题是从 azure AD 检索的令牌不包含角色声明.我创建了两个应用角色并将它们分配给用户.但我在令牌中看不到任何角色.
我遵循了以下文档.
这是创建 B2C IDP 所需的详细信息.
如何将这些细节与范围解决方案进行映射?
需要在Azure AD中创建两个应用,一个代表客户端应用,另一个代表api应用,然后使用客户端应用调用api应用.
首先,需要暴露受Azure保护的后端应用的API,并添加客户端应用:
接下来需要设置api应用AppRole,这是你自定义的角色,会显示在manifest中.
然后您可以将角色分配给用户.转到企业应用程序>您的 api 应用程序>用户和组.
接下来,转到客户端应用程序,让您的客户端应用程序访问您的后端 api:
- 在API 权限"下点击添加权限",然后点击我的 API"标签.
- 找到您的后端应用程序并选择适当的范围.
- 点击添加权限".
- 为您的 API 授予管理员许可.
接下来,您需要使用
解析 v2.0 令牌,它包含 scp 声明和 roles 声明.
I created a Azure B2C tenant and i created custom IDP for Azure Active Directory (AD). I created the user flow from B2C to federate to the Azure AD and get the access token.
Steps that i have followed.
- Created azure AD application
- Generated a secret
- Created custom roles
- Assigned custom roles to users from AD Enterprise Applications
- Created an IDP in B2C
- Created B2C app
- Created a login policy
- Added IDP for federation
- Run the user flow
- Login by federation
The azure AD successfully retrieves the token (idp_access_token) as a result of federation. but the issue is the token that retrieve from the azure AD does not contains roles claim. I have created two app roles and assigned them to user. But i couldn't see any roles inside the token.
I followed following documentation. https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
Isn't this not valid for federations? What is the exact way to get assigned app roles by federation.
Here is the required details to create B2C IDP.
How to map these details with scope solution?
You need to create two applications in Azure AD, one representing the client application and the other representing the api application, and then use the client application to call the api application.
First, you need to expose the API of the back-end application protected by Azure and add the client application:
Next you need to set the api application AppRole, which is your customized role, and it will be displayed in the manifest.
Then you can assign the role to the user. Go to enterprise application>your api application>Users and groups.
Next, go to the client application, give your client application access to your backend api:
- Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
- Find your backend application and select the appropriate scope.
- Click 'Add permissions'.
- Grant admin consent for your APIs.
Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.
Parse the v2.0 token, it contains both scp claims and roles claims.
这篇关于Azure AD 联合的 ID 令牌不包含“角色";宣称的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
