JWT 中的 Azure AD 自定义声明 [英] Azure AD Custom Claims in JWT

问题描述

我有一个 Azure AD 应用程序，我正在尝试向 JWT 添加自定义声明.我将 Azure 中的声明映射功能用于我的特定应用程序，并更新了 Azure 门户中的应用程序清单以包含可选声明.但是，当我登录并查看解码的访问令牌时，令牌中不存在该声明.我没有找到太多与使用扩展属性作为声明相关的文档，但从我发现它应该遵循相同的模式，但它没有按预期工作.

如何在用户登录时向 JWT 添加源自 AD 中用户对象中的自定义属性的自定义声明?

提前致谢！

重新创建的步骤

1. 使用 Azure AD Graph API 注册目录扩展

请求:

POST https://graph.windows.net/mytenant.onmicrosoft.com/applications/

此外，请注意 extension__customUserRoles 不是有效的用户源 ID.对于所有有效的用户源 ID，请参考 这里 .

希望有帮助.

I have an Azure AD app and I am trying to add custom claims to a JWT. I'm using the claims mapping feature in Azure for my specific app, and updated the app manifest in the Azure Portal to include the optional claims. However, when I log in and view the decoded access token, the claim is not present in the token. I haven't found much documentation relating to using extension attributes as claims, but from what I've found it should follow the same patterns, but it is not working as expected.

How do I add a custom claim, sourced from a custom property in the user object in AD, to a JWT when the user logs in?

Thanks in advance!

Steps to re-create

1. Use the Azure AD Graph API to register a directory extension

Request:

POST https://graph.windows.net/mytenant.onmicrosoft.com/applications/<application-object-id>/extensionProperties?api-version=1.5

Body:

{
   "name": "customUserRoles",
   "dataType": "String",
   "targetObjects": ["User"]
}

2. Write a value to the extension for a specific AD user

Request:

PATCH https://graph.windows.net/mytenant.onmicrosoft.com/users/user123@mytenant.onmicrosoft.com?api-version=1.5

Body:

{
   "extension_<appId>_customUserRoles": "My Custom Role 1, Another Role 2"
}

3. In PowerShell, I installed the Azure AD module: Install-Module -Name AzureADPreview
4. Create an Azure AD policy

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version": 1, "IncludeBasicClaimSet": "true", "
ClaimsSchema": [ { "Source": "user", "ID": "extension_<appId>_customUserRoles", "JwtClaimType": "customUserRoles" } ] } }') -DisplayName "customUserRoles" -Type "ClaimsMappingPolicy"

5. Add the policy to the service principal

Add-AzureADServicePrincipalPolicy -Id <service-principla-id> -RefObjectId <azure-ad-policy-id>

6. In the Azure Portal, navigate to Azure AD -> App Registrations -> My App -> Manifest
7. Update the following properties

{
   ...
   "acceptMappedClaims: true,
   "optionalClaims": {
      "idToken": [
         {
            "name": "extension_<appId>_customUserRoles",
            "source": "user",
            "essential": false,
         }
      ],
      "accessToken": [
         {
            "name": "extension_<appId>_customUserRoles",
            "source": "user",
            "essential": false,
         }
      ],
      "samlToken": []
   }
}

8. Save the file
9. Navigate to https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/authorize?client_id=<appId>&response_type=token&resource=https://mytenant.sharepoint.com and login with Azure AD user account user123@mytenant.onmicrosoft.com
10. In the URL, copy the value of the access_token parameter
11. Navigate to https://jwt.ms and paste the access token in the text area
12. In the decoded token section, the custom claim customUserRoles is not present

My expectation is I should see a new claim called customUserRoles or extn.customUserRoles in the decoded token.

What steps am I missing? I haven't gotten any errors throughout this process, but it doesn't appear to be working as the documentation suggests.

---

Reference Material

I have read through Microsoft's documentation on these topics:

Optional Claims: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

Claims Mapping: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

---

I have also read through various forum posts and blog articles relating to this:

https://devonblog.com/cloud/azure-ad-adding-employeeid-claims-in-azure-ad-jwt-token/

http://www.redbaronofazure.com/?p=7566

https://social.msdn.microsoft.com/Forums/en-US/3e5114b6-24d6-4c60-b72b-b4c90baeecac/access-token-missing-optional-claims-that-are-schema-extensions-implicit-grant-flow

https://social.msdn.microsoft.com/Forums/en-US/dbeeed63-8d3f-4c27-b416-431f9fe6c729/providing-directory-extension-optional-claims-and-returning-value-within-token?forum=WindowsAzureAD

解决方案

Based on this official doc :

Access tokens are always generated using the manifest of the resource, not the client. So in the request ...scope=https://graph.microsoft.com/user.read... the resource is Graph. Thus, the access token is created using the Graph manifest, not the client's manifest. Changing the manifest for your application will never cause tokens for Graph to look different. In order to validate that your accessToken changes are in effect, request a token for your application, not another app.

And based on your requirement , it is impossible if you want to make some change on an access token which resource is sharepoint online which is a multi-tenant app created and managed by MSFT.

For this doc , I also did some research for you . And the same , you should have control of the service side app so that you can make that happen.

This is my policy role assignment command :

$nsp = New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mailnickname","JwtClaimType":"testclaim"}]}}') -DisplayName "StanCustomCliamDemo_surname" -Type "ClaimsMappingPolicy"

Add-AzureADServicePrincipalPolicy  -RefObjectId $nsp.Id -Id '<obj id of service side app>'

Token result :

What's more , pls note that extension_<appId>_customUserRoles is not a valid user source ID . For all valid user source ID , pls refer to here .

Hope it helps .

这篇关于JWT 中的 Azure AD 自定义声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！