在JWT令牌中包含AAD组名称 [英] Include AAD group name in the JWT token
问题描述
是否可以选择在AAD发行的JWT令牌中包含AAD组名(显示名称)而不是对象ID?如果可以,怎么办?
Is there an option to include the AAD group name (display name) instead of the Object Id in the JWT token issued by AAD? If yes - how?
…
"family_name": "Smith",
"given_name": "John",
"groups": [
"0e1cbc5f-94bc-4c3b-a22b-a4c56bbdbd7d", // <- replace id with name
"9762d7ea-c0a9-4543-8a3e-2459e826a35a"
],
…
某些背景:我正在通过AAD为API实现OAuth.我配置了2个服务主体(1个用于API,1个用于客户端),并添加了委派&应用程序权限.我还配置了可选的组声明以接收组列表.这一切似乎都可以正常工作,在两种情况下,我会获得带有组ID的JWT令牌:授权代码&客户凭证.
Some background: I’m implementing OAuth with AAD for an API. I configured 2 Service Principals (1 for API, 1 for client) and added delegated & application permissions. I also configured optional group claims to receive the list of groups. It all seems to work and I’m getting JWT tokens with group IDs in 2 scenarios: authorization code & client credentials.
在API实现中,我需要根据AAD组成员身份过滤数据.示例:我有一个AAD组"Company1Users",并想应用过滤器:"where company = Company1".使用groupId时,我需要在我的应用程序(AADGroupId = Company1)中维护其他映射,或者对图形API进行其他调用,这是我想避免的.
In the API implementation I need to filter data basing on the AAD group membership. Example: I have an AAD group "Company1Users" and would like to apply filter: "where company=Company1". With groupId I need to maintain additional mapping in my app (AADGroupId=Company1) or make an additional call to graph API, which I would like to avoid.
推荐答案
在JWT令牌中包含AAD组名
Include AAD group name in the JWT token
简而言之,您无法使用令牌获得它们.
In short, you cannot get them in tokens.
您注意到,您仅获得ID.通常这很好,因为id不能更改,而id可以更改.
As you noticed, you only get the ids. Usually this is good, since the id cannot be changed, unlike the name which can change.
Also, group and role claims may be emitted containing the domain qualified sAMAccountName rather than the group's Azure Active Directory objectID. However, sAMAccountName is only available on Group objects synced from Active Directory. They aren't available on groups created in Azure Active Directory or Office365.
如果要基于组进行授权,可以在配置文件中设置ID,然后检查ID.如果您想为其他目的使用名称,则需要从Microsoft Graph API查询组.您可以找到API文档这里.
If you want to do authorization based on groups, you can set the ids in a configuration file and then check with the id. If you want the names for some other purpose, you'll need query the groups from Microsoft Graph API. You can find the API documentation here.
这篇关于在JWT令牌中包含AAD组名称的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
