访问令牌缺少作为架构扩展的可选声明 - 隐式授权流 [英] Access Token missing Optional Claims that are Schema Extensions - Implicit Grant Flow

问题描述

我们试图让User对象上的Schema Extension出现在使用Implicit Grant Flow获取的Access Token中，但是不成功。



我们已成功创建架构扩展并更新用户以为该架构扩展提供值。



我们已创建应用注册，并配置了隐式授予包括访问令牌和ID令牌的权利。 支持的帐户类型为"任何组织中的帐户"。



应用程序注册的清单已更新，包括每个令牌两个可选索赔的配置。 我们使用了"UPN"。和我们的架构扩展。

"UPN"出现在ID令牌和访问令牌中。

但是，架构扩展只出现在ID令牌中而不出现在访问令牌中。



我们知道用户的架构扩展值已经根据Graph API查询以及它出现在ID令牌中的事实成功设置。 但是没有出现在访问令牌中。
$


我们已经看到通过资源所有者授权流程获取令牌会导致扩展属性出现在访问令牌中在该流程中。

但是，当使用隐式授权流程时，架构扩展不包含在访问令牌中。



这是引用的文档：



创建架构扩展：

使用这两种方法创建架构扩展。  第一个使用Azure AD Graph API，第二个使用MS Graph API。 两者都成功提供了向User对象添加属性的功能。 但是使用哪个
无关紧要，因为在使用隐式授权流程时，其他人最终会进入访问令牌。



目录架构扩展|图谱API概念

https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory -schema-extensions



使用架构扩展向群组添加自定义数据

https://docs.microsoft .com / zh-CN / graph / extensibility-schema-groups



按此提供可选索赔...

如何：为Azure AD应用程序提供可选声明

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-可选索赔



使用此快速入门应用程序测试令牌的登录和获取...

快速入门：登录用户和从JavaScript单页面应用程序（SPA）获取访问令牌

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart- v2-javascript＃option-1-register-and-auto-configure-your-app-and-then-download-your-code-sample

问题：

通过隐式授权流程在Access访问令牌中成功包含用户对象的架构扩展需要哪些其他配置？

解决方案

根据我的理解，它您似乎已在客户端应用的清单中添加了架构扩展声明，因此您将在ID令牌中获取它。 如果您想在访问令牌中拥有声明，则需要修改资源
app的清单。在您的方案中 -  

如果您的应用程序A需要访问Web API B并且您希望在access_token中使用声明，那么您需要修改B的清单。

We are trying to get a Schema Extension on a User object to appear in an Access Token acquired using the Implicit Grant Flow but have been unsuccessful.

We've successfully created the schema extension and updated a user to provide a value for that schema extension.

We've created an App Registration, and configured the Implicit Grant to incldue both Access Tokens and ID Tokens.  And the Supported Account Types are "Accounts in any organization".

The App Registration's Manifest has been updated to include the configuration of two optional claims per token.  We used the "UPN" and our schema extension.
The "UPN" appears in both the ID Token and the Access Token.
However, the schema extension only appears in the ID Token and NOT in the Access Token.

We know that user's schema extension value has been successfully set based on Graph API queries and by the fact it appears in the ID Token.  But is does not appear in the Access Token.

We have seen that acquiring a token via the Resource Owner Grant Flow results in the extension property appearing in the the access token in that flow.
However, when using the Implicit Grant Flow the schema extension is not included in the access token.

Here is the documentation referenced:

Creating the Schema Extension:
Used both of these methods for creating a Schema Extension.  First one uses the Azure AD Graph API and the second uses the MS Graph API.  Both successfully provide the ability to add properties to the User object.  But it does not matter which is used because niether one ends up in the access token when using the Implicit Grant Flow.

Directory schema extensions | Graph API concepts
https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions

Add custom data to groups using schema extensions
https://docs.microsoft.com/en-us/graph/extensibility-schema-groups

Followed this for providing the optional claims...
How to: Provide optional claims to your Azure AD app
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

Used this quickstart app to test login and acquisition of tokens...
Quickstart: Sign in users and acquire an access token from a JavaScript single-page application (SPA)
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-javascript#option-1-register-and-auto-configure-your-app-and-then-download-your-code-sample

Question:

What additional configuration is necessary to successfully include a schema extension of a user object within an Access Token via the Implicit Grant Flow?

解决方案

As per my understanding, it seems you have added the schema extension claim in the manifest of the client app and thus you are getting it in the id token.  If you want to have the claim in access token then you need to modify the manifest of the resource app. In your scenario - 

If you have an Application A which needs access to a Web API B and you want the claims in the access_token then you need to modify the manifest of B.

这篇关于访问令牌缺少作为架构扩展的可选声明 - 隐式授权流的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！