JWT中的Azure AD自定义声明 [英] Azure AD Custom Claims in JWT

问题描述

我有一个Azure AD应用程序，我正在尝试向JWT添加自定义声明.我正在为特定应用程序使用Azure中的声明映射功能，并更新了Azure门户中的应用程序清单以包括可选声明.但是，当我登录并查看已解码的访问令牌时，该令牌中没有声明.我没有找到太多有关使用扩展属性作为声明的文档，但是从我发现的内容来看，它应该遵循相同的模式，但是不能按预期工作.

当用户登录时，如何将源自AD中用户对象的自定义属性的自定义声明添加到JWT?

提前谢谢！

重新创建的步骤

1. 使用Azure AD Graph API注册目录扩展名

请求:

POST https://graph.windows.net/mytenant.onmicrosoft.com/applications/<application-object-id>/extensionProperties?api-version=1.5

身体:

{
   "name": "customUserRoles",
   "dataType": "String",
   "targetObjects": ["User"]
}

2. 为扩展名的特定AD用户写入一个值

请求:

PATCH https://graph.windows.net/mytenant.onmicrosoft.com/users/user123@mytenant.onmicrosoft.com?api-version=1.5

身体:

{
   "extension_<appId>_customUserRoles": "My Custom Role 1, Another Role 2"
}

3. 在PowerShell中，我安装了Azure AD模块:Install-Module -Name AzureADPreview
4. 创建Azure AD策略

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version": 1, "IncludeBasicClaimSet": "true", "
ClaimsSchema": [ { "Source": "user", "ID": "extension_<appId>_customUserRoles", "JwtClaimType": "customUserRoles" } ] } }') -DisplayName "customUserRoles" -Type "ClaimsMappingPolicy"

5. 将策略添加到服务主体

Add-AzureADServicePrincipalPolicy -Id <service-principla-id> -RefObjectId <azure-ad-policy-id>

6. 在Azure门户中，导航到Azure AD->应用程序注册->我的应用程序->清单
7. 更新以下属性

{
   ...
   "acceptMappedClaims: true,
   "optionalClaims": {
      "idToken": [
         {
            "name": "extension_<appId>_customUserRoles",
            "source": "user",
            "essential": false,
         }
      ],
      "accessToken": [
         {
            "name": "extension_<appId>_customUserRoles",
            "source": "user",
            "essential": false,
         }
      ],
      "samlToken": []
   }
}

8. 保存文件
9. 导航到https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/authorize?client_id=<appId>&response_type=token&resource=https://mytenant.sharepoint.com并使用Azure AD用户帐户user123@mytenant.onmicrosoft.com
登录
10. 在URL中，复制access_token参数的值
11. 导航到https://jwt.ms并将访问令牌粘贴到文本区域
12. 在已解码令牌"部分中，不存在自定义声明 customUserRoles

我的期望是我应该在解码令牌中看到一个称为customUserRoles或extn.customUserRoles的新声明.

我缺少什么步骤?在此过程中，我没有遇到任何错误，但是它似乎并没有按照文档说明的那样工作.

---

参考资料

我已经阅读了有关以下主题的Microsoft文档:

可选声明: https: //docs.microsoft.com/zh-CN/azure/active-directory/develop/active-directory-optional-claims

索赔映射: https: //docs.microsoft.com/zh-CN/azure/active-directory/develop/active-directory-claims-mapping

---

我还阅读了与此相关的各种论坛帖子和博客文章:

https://devonblog.com/cloud/azure-ad-adding-employeeid-claims-in-azure-ad-jwt-token/

http://www.redbaronofazure.com/?p=7566

https://social.msdn.microsoft.com/Forums/zh-CN/dbeeed63-8d3f-4c27-b416-431f9fe6c729/providing-directory-extension可选的声明和令牌内的返回值?forum = WindowsAzureAD

解决方案

基于 https://graph.microsoft.com/user.read .该资源是 图形.因此，访问令牌是使用Graph清单创建的，而不是 客户的清单.为您的应用程序更改清单 永远不要使Graph的标记看起来有所不同.为了验证 您的accessToken更改已生效，请为您的请求令牌 应用程序，而不是其他应用程序.

并且根据您的要求，如果要对访问令牌进行某些更改是不可能的，访问令牌的资源是在线共享点，这是由MSFT创建和管理的多租户应用程序.

对于此文档，我也为您做过一些研究.同样，您应该控制服务端应用程序，以便您能够实现这一目标.

这是我的策略角色分配命令:

$nsp = New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mailnickname","JwtClaimType":"testclaim"}]}}') -DisplayName "StanCustomCliamDemo_surname" -Type "ClaimsMappingPolicy"

Add-AzureADServicePrincipalPolicy  -RefObjectId $nsp.Id -Id '<obj id of service side app>'

令牌结果:

此外，请注意extension_<appId>_customUserRoles不是有效的用户源ID.对于所有有效的用户源ID，请参考

2. Write a value to the extension for a specific AD user

Request:

PATCH https://graph.windows.net/mytenant.onmicrosoft.com/users/user123@mytenant.onmicrosoft.com?api-version=1.5

Body:

{
   "extension_<appId>_customUserRoles": "My Custom Role 1, Another Role 2"
}

3. In PowerShell, I installed the Azure AD module: Install-Module -Name AzureADPreview
4. Create an Azure AD policy

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version": 1, "IncludeBasicClaimSet": "true", "
ClaimsSchema": [ { "Source": "user", "ID": "extension_<appId>_customUserRoles", "JwtClaimType": "customUserRoles" } ] } }') -DisplayName "customUserRoles" -Type "ClaimsMappingPolicy"

5. Add the policy to the service principal

Add-AzureADServicePrincipalPolicy -Id <service-principla-id> -RefObjectId <azure-ad-policy-id>

6. In the Azure Portal, navigate to Azure AD -> App Registrations -> My App -> Manifest
7. Update the following properties

{
   ...
   "acceptMappedClaims: true,
   "optionalClaims": {
      "idToken": [
         {
            "name": "extension_<appId>_customUserRoles",
            "source": "user",
            "essential": false,
         }
      ],
      "accessToken": [
         {
            "name": "extension_<appId>_customUserRoles",
            "source": "user",
            "essential": false,
         }
      ],
      "samlToken": []
   }
}

8. Save the file
9. Navigate to https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/authorize?client_id=<appId>&response_type=token&resource=https://mytenant.sharepoint.com and login with Azure AD user account user123@mytenant.onmicrosoft.com
10. In the URL, copy the value of the access_token parameter
11. Navigate to https://jwt.ms and paste the access token in the text area
12. In the decoded token section, the custom claim customUserRoles is not present

My expectation is I should see a new claim called customUserRoles or extn.customUserRoles in the decoded token.

What steps am I missing? I haven't gotten any errors throughout this process, but it doesn't appear to be working as the documentation suggests.

---

Reference Material

I have read through Microsoft's documentation on these topics:

Optional Claims: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

Claims Mapping: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

---

I have also read through various forum posts and blog articles relating to this:

https://devonblog.com/cloud/azure-ad-adding-employeeid-claims-in-azure-ad-jwt-token/

http://www.redbaronofazure.com/?p=7566

https://social.msdn.microsoft.com/Forums/en-US/3e5114b6-24d6-4c60-b72b-b4c90baeecac/access-token-missing-optional-claims-that-are-schema-extensions-implicit-grant-flow

https://social.msdn.microsoft.com/Forums/en-US/dbeeed63-8d3f-4c27-b416-431f9fe6c729/providing-directory-extension-optional-claims-and-returning-value-within-token?forum=WindowsAzureAD

解决方案

Based on this official doc :

Access tokens are always generated using the manifest of the resource, not the client. So in the request ...scope=https://graph.microsoft.com/user.read... the resource is Graph. Thus, the access token is created using the Graph manifest, not the client's manifest. Changing the manifest for your application will never cause tokens for Graph to look different. In order to validate that your accessToken changes are in effect, request a token for your application, not another app.

And based on your requirement , it is impossible if you want to make some change on an access token which resource is sharepoint online which is a multi-tenant app created and managed by MSFT.

For this doc , I also did some research for you . And the same , you should have control of the service side app so that you can make that happen.

This is my policy role assignment command :

$nsp = New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mailnickname","JwtClaimType":"testclaim"}]}}') -DisplayName "StanCustomCliamDemo_surname" -Type "ClaimsMappingPolicy"

Add-AzureADServicePrincipalPolicy  -RefObjectId $nsp.Id -Id '<obj id of service side app>'

Token result :

What's more , pls note that extension_<appId>_customUserRoles is not a valid user source ID . For all valid user source ID , pls refer to here .

Hope it helps .

这篇关于JWT中的Azure AD自定义声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！