使用ADFS 4.0 OAuth2令牌获取组声明 [英] Getting Group Claims With ADFS 4.0 OAuth2 Token
问题描述
我成功设置了ADFS 4.0实例(Windows Server 2016),我打算使用该实例对WebApi的单页应用程序的用户进行身份验证和授权。
我几乎遵循了本教程:
我不太确定Claims映射到令牌属性,除了 UPN和唯一名称似乎没有转移。
如nzpcmad的回答所示,似乎id_token中的自定义声明使用根本不支持默认的URL参数编码的GET重定向。这样做的原因可能是URL长度有限制,但是我觉得这很可疑。
无论如何,显然,当令牌返回时,此限制并不适用。 POST重定向。这就是为什么人们描述它在MVC应用程序中效果很好的原因。
因此,我能够通过将响应重定向到后端API端点(POST)来解决该问题,该端点再次将其重定向到前端(SPA),但是作为带有URL末尾编码参数的GET请求:
公共类LoginController:ApiController
{
[HttpPost ]
[Route( login)]
public HttpResponseMessage Login(FormDataCollection formData)
{
var token = formData [ id_token];
var state = formData [ state];
var response = Request.CreateResponse(HttpStatusCode.Moved);
var frontendUri = ConfigurationManager.AppSettings [ ad:FrontendUri];
response.Headers.Location =新Uri($ {frontendUri}#id_token = {token}& state = {state});
返回响应;
}
}
请注意,将响应方法从GET更改为POST ,只需将& response_mode = form_post 添加到OAuth请求网址即可。
I successfully set up an ADFS 4.0 instance (Windows Server 2016) which I intend to use to authenticate and authorize the users of a single-page application towards a WebApi.
I pretty much followed this tutorial: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/single-page-application-with-ad-fs .. which is modifying a sample that uses Azure Active Directory.
Now.. all seems to work fine, I can get a basic JWT token from the /oauth2/authorize endpoint:
{
"aud": "d668d637-7fd4-45ef-9eab-46fee230dcbc",
"iss": "https://fs.contoso.com/adfs",
"iat": 1494341035,
"exp": 1494344635,
"auth_time": 1494341035,
"nonce": "c91e3f78-c31a-402e-a685-8d1586915227",
"sub": "Rl7sOj0nDbgh8BVWZegrkvgAKaB/SwNuEbmORcWcae4=",
"upn": "john.doe@contoso.com",
"unique_name": "CONTOSO\\JohnDoe"
}
The token from AzureAD contained more properties, particularly family_name and given_name. But I was also hoping to add explicit group claims to the token. I thought I should be able to make this happen by setting the 'Issuance Transform Rules' correctly in the Web application Properties ( Application Groups -> MyApp -> MyApp - WebApplication -> Properties). However, it seems no matter what I do, nothing seems to have any effect on the properties contained in the JWT returned from the endpoint. I always get exactly the same token structure.
I am not really sure how the 'Outgoing Claims' map to the token properties as nothing except the 'UPN' and the 'unique name' seems to be transferred. Any pointers what I may be doing wrong here?
As indicated in nzpcmad's answer, it appears that custom claims in the id_token using the default URL-parameter-encoded GET redirect is simply not supported. The reason for this may be that there is an URL length limit, but I find that quite questionable.
Anyway, apparently this restriction does not apply when the token is returned in a POST redirect. That's also why people describe it working just fine for MVC applications.
So I was able to work around the problem by redirecting the response to a backend API endpoint (POST), which just redirects it to the frontend (SPA) again, but as a GET request with URL-endcoded parameters:
public class LoginController : ApiController
{
[HttpPost]
[Route("login")]
public HttpResponseMessage Login(FormDataCollection formData)
{
var token = formData["id_token"];
var state = formData["state"];
var response = Request.CreateResponse(HttpStatusCode.Moved);
var frontendUri = ConfigurationManager.AppSettings["ad:FrontendUri"];
response.Headers.Location = new Uri($"{frontendUri}#id_token={token}&state={state}");
return response;
}
}
Note that to change the response method from GET to POST, one simply has to add &response_mode=form_post to the OAuth request URL.
这篇关于使用ADFS 4.0 OAuth2令牌获取组声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
