具有属性"hasgroups = true"的Azure JWT;而不是组属性对象 [英] Azure JWT with property "hasgroups=true" instead of groups property object
问题描述
我有一个具有Azure Active Directory身份验证的Azure Web应用程序(由adal-angular制成);
I have an Azure Web Application with Azure Active Directory authentication (made with adal-angular);
在应用程序清单中,我设置了"groupMembershipClaims":"SecurityGroup"
In the application manifest i have set "groupMembershipClaims": "SecurityGroup"
奇怪的是,有几天,对于一个用户,它在AAD令牌中没有包含组成员资格objectIds列表的组声明,但是有一个名为 hasgroups
的属性值为 true
.
The strange thing is that for some days, for just a user, it does not have the group claim in the AAD token with the list of group membership objectIds, but instead there's a property named hasgroups
with value true
.
我可以做些什么吗?现在,我将检查是否有一个属性或另一个属性,然后调用GraphAPI获得直接组成员身份.
Can I do something about it? For now I'm going to check if there's one property or the other and then call GraphAPI for direct group membership.
推荐答案
hasGroups = true
/em>.我不知道确切的阈值是多少(20?200?),但是实际上,您需要在代码中执行的操作与(pseudocode)类似:
hasGroups=true
is returned in the case where there the user belongs to "too many groups". I don't know what the exact threshold is (20? 200?) but effectively what you need to do in your code is something along the lines of (pseudocode):
if (hasGroups)
Call the Graph to inquire:
Either about the full group membership OR
About membership to a particular group
else
Access groups directly from the token
https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version
https://graph.windows.net/myorganization/users/{user_id}/isMemberOf?api-version
这篇关于具有属性"hasgroups = true"的Azure JWT;而不是组属性对象的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!