JWT中的Azure AD自定义声明 [英] Azure AD Custom Claims in JWT
问题描述
我有一个Azure AD应用程序,我正在尝试向JWT添加自定义声明.我正在为特定应用程序使用Azure中的声明映射功能,并更新了Azure门户中的应用程序清单以包括可选声明.但是,当我登录并查看已解码的访问令牌时,该令牌中没有声明.我没有找到太多有关使用扩展属性作为声明的文档,但是从我发现的内容来看,它应该遵循相同的模式,但是不能按预期工作.
当用户登录时,如何将源自AD中用户对象的自定义属性的自定义声明添加到JWT?
提前谢谢!
重新创建的步骤
- 使用Azure AD Graph API注册目录扩展名
请求:
POST https://graph.windows.net/mytenant.onmicrosoft.com/applications/<application-object-id>/extensionProperties?api-version=1.5
身体:
{
"name": "customUserRoles",
"dataType": "String",
"targetObjects": ["User"]
}
- 为扩展名的特定AD用户写入一个值
请求:
PATCH https://graph.windows.net/mytenant.onmicrosoft.com/users/user123@mytenant.onmicrosoft.com?api-version=1.5
身体:
{
"extension_<appId>_customUserRoles": "My Custom Role 1, Another Role 2"
}
- 在PowerShell中,我安装了Azure AD模块:
Install-Module -Name AzureADPreview
- 创建Azure AD策略
New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version": 1, "IncludeBasicClaimSet": "true", "
ClaimsSchema": [ { "Source": "user", "ID": "extension_<appId>_customUserRoles", "JwtClaimType": "customUserRoles" } ] } }') -DisplayName "customUserRoles" -Type "ClaimsMappingPolicy"
- 将策略添加到服务主体
Add-AzureADServicePrincipalPolicy -Id <service-principla-id> -RefObjectId <azure-ad-policy-id>
- 在Azure门户中,导航到Azure AD->应用程序注册->我的应用程序->清单
- 更新以下属性
{
...
"acceptMappedClaims: true,
"optionalClaims": {
"idToken": [
{
"name": "extension_<appId>_customUserRoles",
"source": "user",
"essential": false,
}
],
"accessToken": [
{
"name": "extension_<appId>_customUserRoles",
"source": "user",
"essential": false,
}
],
"samlToken": []
}
}
- 保存文件
- 导航到
https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/authorize?client_id=<appId>&response_type=token&resource=https://mytenant.sharepoint.com
并使用Azure AD用户帐户user123@mytenant.onmicrosoft.com
登录
- 在URL中,复制
access_token
参数的值 - 导航到
https://jwt.ms
并将访问令牌粘贴到文本区域 - 在已解码令牌"部分中,不存在自定义声明 customUserRoles
我的期望是我应该在解码令牌中看到一个称为customUserRoles
或extn.customUserRoles
的新声明.
我缺少什么步骤?在此过程中,我没有遇到任何错误,但是它似乎并没有按照文档说明的那样工作.
参考资料
我已经阅读了有关以下主题的Microsoft文档:
可选声明: https: //docs.microsoft.com/zh-CN/azure/active-directory/develop/active-directory-optional-claims
索赔映射: https: //docs.microsoft.com/zh-CN/azure/active-directory/develop/active-directory-claims-mapping
我还阅读了与此相关的各种论坛帖子和博客文章:
https://devonblog.com/cloud/azure-ad-adding-employeeid-claims-in-azure-ad-jwt-token/
http://www.redbaronofazure.com/?p=7566 >
基于 https://graph.microsoft.com/user.read .该资源是 图形.因此,访问令牌是使用Graph清单创建的,而不是 客户的清单.为您的应用程序更改清单 永远不要使Graph的标记看起来有所不同.为了验证 您的accessToken更改已生效,请为您的请求令牌 应用程序,而不是其他应用程序.
并且根据您的要求,如果要对访问令牌进行某些更改是不可能的,访问令牌的资源是在线共享点,这是由MSFT创建和管理的多租户应用程序.
对于此文档,我也为您做过一些研究.同样,您应该控制服务端应用程序,以便您能够实现这一目标.
这是我的策略角色分配命令:
$nsp = New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mailnickname","JwtClaimType":"testclaim"}]}}') -DisplayName "StanCustomCliamDemo_surname" -Type "ClaimsMappingPolicy"
Add-AzureADServicePrincipalPolicy -RefObjectId $nsp.Id -Id '<obj id of service side app>'
令牌结果:
此外,请注意
Request: Body:
My expectation is I should see a new claim called What steps am I missing? I haven't gotten any errors throughout this process, but it doesn't appear to be working as the documentation suggests. I have read through Microsoft's documentation on these topics: Optional Claims: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims Claims Mapping: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping I have also read through various forum posts and blog articles relating to this: https://devonblog.com/cloud/azure-ad-adding-employeeid-claims-in-azure-ad-jwt-token/ http://www.redbaronofazure.com/?p=7566 Based on this official doc : Access tokens are always generated using the manifest of the resource,
not the client. So in the request
...scope=https://graph.microsoft.com/user.read... the resource is
Graph. Thus, the access token is created using the Graph manifest, not
the client's manifest. Changing the manifest for your application will
never cause tokens for Graph to look different. In order to validate
that your accessToken changes are in effect, request a token for your
application, not another app. And based on your requirement , it is impossible if you want to make some change on an access token which resource is sharepoint online which is a multi-tenant app created and managed by MSFT. For this doc , I also did some research for you . And the same , you should have control of the service side app so that you can make that happen. This is my policy role assignment command : Token result :
What's more , pls note that Hope it helps . 这篇关于JWT中的Azure AD自定义声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!extension_<appId>_customUserRoles
不是有效的用户源ID.对于所有有效的用户源ID,请参考
PATCH https://graph.windows.net/mytenant.onmicrosoft.com/users/user123@mytenant.onmicrosoft.com?api-version=1.5
{
"extension_<appId>_customUserRoles": "My Custom Role 1, Another Role 2"
}
Install-Module -Name AzureADPreview
New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version": 1, "IncludeBasicClaimSet": "true", "
ClaimsSchema": [ { "Source": "user", "ID": "extension_<appId>_customUserRoles", "JwtClaimType": "customUserRoles" } ] } }') -DisplayName "customUserRoles" -Type "ClaimsMappingPolicy"
Add-AzureADServicePrincipalPolicy -Id <service-principla-id> -RefObjectId <azure-ad-policy-id>
{
...
"acceptMappedClaims: true,
"optionalClaims": {
"idToken": [
{
"name": "extension_<appId>_customUserRoles",
"source": "user",
"essential": false,
}
],
"accessToken": [
{
"name": "extension_<appId>_customUserRoles",
"source": "user",
"essential": false,
}
],
"samlToken": []
}
}
https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/authorize?client_id=<appId>&response_type=token&resource=https://mytenant.sharepoint.com
and login with Azure AD user account user123@mytenant.onmicrosoft.com
access_token
parameterhttps://jwt.ms
and paste the access token in the text areacustomUserRoles
or extn.customUserRoles
in the decoded token.
Reference Material
$nsp = New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mailnickname","JwtClaimType":"testclaim"}]}}') -DisplayName "StanCustomCliamDemo_surname" -Type "ClaimsMappingPolicy"
Add-AzureADServicePrincipalPolicy -RefObjectId $nsp.Id -Id '<obj id of service side app>'
extension_<appId>_customUserRoles
is not a valid user source ID . For all valid user source ID , pls refer to here .