Azure AD B2C-如何向访问令牌推广新用户声明 [英] Azure AD B2C - how to propogate new user claims to the Access Token
问题描述
我正在使用Azure AD B2C对我的移动应用程序的用户进行身份验证.我在设备AcquireTokenSilent和AcquireTokenInteractive上使用Microsoft.Identity.Client来管理用户身份验证状态.一切都很好.
I am using Azure AD B2C to authenticate users of my mobile app. I use Microsoft.Identity.Client on the device AcquireTokenSilent and AcquireTokenInteractive to manage user authentication state. Everything works great.
用户完成身份验证后,我的服务器将检查其ID以查看其是否已在我的用户数据库中注册,如果没有,则将询问其详细信息并保存.此时,我为用户添加了一个本地唯一ID,我想将其添加到他们的访问令牌中,以便其他服务可以将其用于授权.因此,我调用AD B2C图形API来设置UserId自定义属性.我已经在Azure AD B2C中注册了自定义属性,并且我的用户流都在应用程序声明"下选择了UserId,以便将其添加到JWT中.我基本上遵循此处描述的选项1:将声明添加到令牌Azure B2C .配置似乎正确,并且一切正常……
When the user has completed authentication, my server will check their ID to see if they're registered in my user database, and if not will ask for their details and save them. At this point I have a local unique Id for the user which I would like to add to their access token so that other services can use it for authorization. So I call the AD B2C graph API to set a UserId custom attribute. I have registered the custom attribute with Azure AD B2C and my User Flows all have UserId selected under Application Claims so that it gets added to the JWT. I am basically following option 1 described here: Add claims into token Azure B2C. The configuration appears to be correct and everything works perfectly...
...除了一件事.仅在用户注销并再次登录后,UserId声明才会出现在访问令牌中.
... except for one thing. The UserId claim only appears in the Access Token after the user logs out and logs in again.
因此,在用户进行身份验证之后,我将其注册到数据库中,调用Graph API来设置其UserId声明.此后,无论何时我在设备上获取令牌,即使使用WithForceRefresh(true),我都会获得没有UserId声明的令牌.如果我调用Graph API,则可以看到该声明存在于用户的个人资料中,但并未包含在令牌中.一旦用户注销并再次登录,他就会获得一个包含索赔的令牌.
So after the user authenticates, I register him in my DB, call the Graph API to set his UserId claim. Thereafter any time I acquire a token on the device, even if I use WithForceRefresh(true), I get a token without the UserId claim. If I call the Graph API I can see that the claim exists on the user's profile, but it doesn't make it to the token. As soon as the user logs out and in again, He gets a token that includes the claim.
要解决此问题,我要么需要强迫用户在注册后再次登录,这真是愚蠢.或者,如果令牌中不存在缺少的信息,那么我需要调用Graph API并填写缺少的信息,这也是次优的.
To work around this I either need to force the user to log in again after he has registered, which would be silly. Or I need to call the Graph API and fill in the missing information if it's not present in the token, which would also be sub-optimal.
我在这里想念什么?强制AD用新的声明刷新用户的访问令牌而不要求用户再次登录的正确方法是什么?
What am I missing here? What is the right way to force AD to refresh the user's access token with new claims without requiring the user to log in again?
更新 为了简单起见,我使用了UserId的示例,但是正如Jas指出的那样,我可以使用REST API声明交换来设置静态字段,例如在注册时那样.为了使我的问题更加完整,让我补充说,我也希望能够在初始注册后更新声明.例如,可以在初始注册时为用户分配一个角色,然后在以后将其转移到其他角色.我想更新用户的声明,以便可以基于用户访问令牌中更新的声明对用户执行授权.但是,如果我不能保证这些声明将始终是最新的,那么我将需要回退到我自己的数据库/服务,这将有效地使AD B2C成为没有授权实用程序的身份验证提供程序.
UPDATE I used the example of a UserId for simplicity's sake, but as Jas points out below I could set static fields like that on registration using REST API claims exchanges. So to make my question more complete, let me add that I also want to be able to update claims after initial registration. For example, a user might be assigned one role on initial registration, and then be moved to a different role later. I would want to update the user's claims so that I could perform authorization on the user based on the updated claims in her access token. But if I cannot guarantee that those claims will always be up to date then I will need a fallback to my own database / service which would effectively make AD B2C an authentication provider with no authorization utility.
推荐答案
您应该将逻辑转移到B2C用户流程中,这将全部解决,而不是在身份验证之后执行. B2C尚未刷新刷新令牌流上的令牌声明(尚未).
You should move the logic into the B2C user flow, and this would all be resolved rather than performing it after authentication. B2C doesn’t refresh token claims on refresh token flows (yet).
https://docs.microsoft.com/en-gb/azure/active-directory-b2c/rest-api-claims-exchange-dotnet
这篇关于Azure AD B2C-如何向访问令牌推广新用户声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
