从 msal 2.0 令牌中获取 UPN 和电子邮件地址 [英] Get UPN and email address from msal 2.0 tokens
问题描述
从 adal 切换到 msal 2.0 浏览器库时,我在 idToken 响应中缺少用户的 UPN,这导致主体在 principal.Identity.Name<中没有名称/code> 将 idToken 传递给后端后.这在 adal 版本中可用.
var principal = tokenHandler.ValidateToken(validationToken, validationParameters, out SecurityTokenvalidatedToken);
我收到 preferred_name
作为声明,但似乎无法调用 Graph API 来检索电子邮件地址,因为它不是 UPN.
一般我需要如何更改 msal 的令牌验证和 UPN 检索?传递 accessToken 并单独验证以获得更多声明?
原来 msal 支持 2 种方式来获得额外的声明
- 通过 AD 清单设置
- 请求令牌如下时
通过添加额外的范围
const loginRequest = {范围:['User.Read', 'email']};
并且在验证令牌时,可以通过设置 TokenValidationParameters.NameClaimType
When switching from adal to the msal 2.0 browser library, I'm missing the UPN of the user in the idToken response, which leads to a principal that doesn't have a name in principal.Identity.Name
after passing the idToken to the backend. This was available in the adal version.
var principal = tokenHandler.ValidateToken(validationToken, validationParameters, out SecurityToken validatedToken);
I get preferred_name
as a claim, but it doesn't seem to be usable to call the Graph API to retrieve an email address, as it's not a UPN.
How do I need to change token validation and UPN retrieval for msal in general? Pass the accessToken and validate that separately to get more claims?
Turns out msal supports 2 ways to get additional claims
- Via AD manifest settings
- When requesting a token as below
by adding additional scopes
const loginRequest = {
scopes: ['User.Read', 'email']
};
and when validating a token different claims can be used to get the principal's identity by setting TokenValidationParameters.NameClaimType
这篇关于从 msal 2.0 令牌中获取 UPN 和电子邮件地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!