具有属性"hasgroups = true"的Azure JWT；而不是组属性对象 [英] Azure JWT with property "hasgroups=true" instead of groups property object

问题描述

我有一个具有Azure Active Directory身份验证的Azure Web应用程序(由adal-angular制成)；

I have an Azure Web Application with Azure Active Directory authentication (made with adal-angular);

在应用程序清单中，我设置了"groupMembershipClaims":"SecurityGroup"

In the application manifest i have set "groupMembershipClaims": "SecurityGroup"

奇怪的是，有几天，对于一个用户，它在AAD令牌中没有包含组成员资格objectIds列表的组声明，但是有一个名为 hasgroups 的属性值为 true .

The strange thing is that for some days, for just a user, it does not have the group claim in the AAD token with the list of group membership objectIds, but instead there's a property named hasgroups with value true.

我可以做些什么吗?现在，我将检查是否有一个属性或另一个属性，然后调用GraphAPI获得直接组成员身份.

Can I do something about it? For now I'm going to check if there's one property or the other and then call GraphAPI for direct group membership.

推荐答案

hasGroups = true /em>.我不知道确切的阈值是多少(20?200?)，但是实际上，您需要在代码中执行的操作与(pseudocode)类似:

hasGroups=true is returned in the case where there the user belongs to "too many groups". I don't know what the exact threshold is (20? 200?) but effectively what you need to do in your code is something along the lines of (pseudocode):

if (hasGroups)
  Call the Graph to inquire:
    Either about the full group membership OR 
    About membership to a particular group
else
  Access groups directly from the token

获取所有用户组属于:

https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version

查询用户是否属于特定组:

https://graph.windows.net/myorganization/users/{user_id}/isMemberOf?api-version

这篇关于具有属性"hasgroups = true"的Azure JWT；而不是组属性对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！