将声明添加到令牌Azure B2C [英] Add claims into token Azure B2C
问题描述
如果将声明存储在自己的服务器上某个地方(在B2C中不可用),那么在Azure AD B2C中发布自定义声明(例如,用户订阅或角色列表)在令牌中之前,有哪些方法? 目标是在令牌中声明所有权,以避免每次请求都需要额外的往返存储空间.
What are ways to include custom claims (user subscriptions or roles list as example) in a token before issuing it in Azure AD B2C, provided that claims are stored somewhere on own server (not available in B2C)? Goal to have claims in the token to avoid additional round trip to the storage on every request.
对该主题的调查使我想到了以下几种方式:
Investigation on the topic brought me to following ways:
-
通过Graph API添加自定义属性,配置为包含在JWT中.属性值应与我们的数据存储保持同步.
Add custom attribute via Graph API, configure to include in JWT. Attribute values should be kept in sync with our datastorage.
Custom Sign-In Policy like in this article https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom but if I got it right, additional Step 6 is a user journey to publicly available API in non restricted way (request not secured by secret, might be used to get user claims by presented UserId)?
IdentityServer4联合身份验证网关 http://docs.identityserver.io/zh_cn/release/topics/federation_gateway.html ,可以在发布前添加任何声明.
IdentityServer4 Federation gateway http://docs.identityserver.io/en/release/topics/federation_gateway.html that will allow to add any claims before issuing.
推荐答案
您概述的前两种机制是在Azure AD B2C颁发的令牌中包括自定义声明的最常见和推荐的方法:
The first two mechanisms you outlined are the most common and recommended ways to include custom claims in an Azure AD B2C issued token:
-
添加自定义属性和通过B2C UI 或通过Graph API .您需要建立自己的机制,以使B2C中此属性的值与外部源保持同步
Add a custom attribute and include it in the JWT. You can enable the custom attribute via the B2C UI or via the Graph API. You'd need to build your own mechanism to keep the value of this attribute in B2C in sync with your external source via the Graph API.
您可以使用自定义政策添加到添加身份验证流程中的步骤,以调用Rest API获取声明并将其包含在令牌中.对REST API的此调用将由Azure AD B2C服务而不是用户的浏览器执行,因此它将是服务到服务的调用(与客户端到服务的调用相比),保留您用于的所有秘密使用您的Rest API安全进行身份验证(例如Azure功能代码).
You can use a custom policy to add a step in your authentication flow to call a Rest API to obtain the claim and include it in the token. This call to the Rest API will be performed by the Azure AD B2C service and NOT the user's browser, so it'll be a service-to-service call (versus a client-to-service call), keeping any secrets you use for authentication with your Rest API safe (such as a Azure function code).
这篇关于将声明添加到令牌Azure B2C的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
