如何向分配有 auth0 的机器对机器应用程序类型的 JWT 添加声明? [英] How can I add claims to a JWT assigned with auth0 for a machine-to-machine application type?

问题描述

我使用 auth0 作为单点登录的 OIDC 提供商.

I am using auth0 as OIDC provider for single-sign-on.

到目前为止，我尝试使用两种应用程序类型登录，一方面是本地应用程序类型，另一方面是机器对机器应用程序类型.

So far I tried login with two application types, on the one hand the native application type and on the other hand the machine-to-machine application type.

然而，当我登录时，我只收到一个非常简单的id_token，其有效负载如下:

However, when I login, I only receive a very simple id_token with the following payload:

{
  "https://example.com/roles": [
    "user"
  ],
  "iss": "https://my.idp.provider.com",
  "sub": "oauth2|someconnection|samlp|somecompany|someusername",
  "aud": "REMOVED",
  "iat": 1547652649,
  "exp": 1547688649
}

我想向这个令牌添加一个 group 声明.如何配置我的 Auth0 租户以添加 "group": "admin" 作为声明?我是否需要在身份验证客户端中启用特定的 范围 才能接收 groups 声明?

I want to add a group claim to this token. How can I configure my Auth0 tenant to add "group": "admin" as claims? Do I need to enable a particular scope in my authentication client to receive the groups claim?

我已经在 auth0 中安装并配置了授权扩展，但这对我的令牌中的声明没有任何影响.我知道授权扩展不支持机器对机器的应用程序.因此，我添加了本机应用程序并尝试使用该应用程序登录，但也没有返回任何其他声明.

I have installed and configured the Authorization Extension in auth0 but that did not have any effect on the claims in my token. I know that the Authorization Extension does not support machine-to-machine applications. Therefore, I added the native application and tried to login with that, but that also did not return any additional claims.

推荐答案

配置授权扩展后，您可以向来自规则的颁发的 JWT 令牌添加自定义声明.这里有一个示例规则可以完成这项工作:https://auth0.com/docs/extensions/authorization-extension/v2/rules#add-custom-claims-to-the-issued-token

After configuring the Authorization extension, you can add custom claims to the issued JWT tokens from Rules. There's a sample rule here that does the job: https://auth0.com/docs/extensions/authorization-extension/v2/rules#add-custom-claims-to-the-issued-token

您也可以使用 Hook 自定义客户端凭据令牌:https://auth0.com/docs/api-auth/tutorials/client-credentials/customize-with-hooks

You can customize the Client Credentials token as well using the Hook: https://auth0.com/docs/api-auth/tutorials/client-credentials/customize-with-hooks

OIDC 合规应用要求您定义命名空间，因为角色和组等授权数据不是 OIDC 声明.

OIDC Comformant Apps require you to define the namespace because Authorization data such as roles and groups are not OIDC claims.

这篇关于如何向分配有 auth0 的机器对机器应用程序类型的 JWT 添加声明?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！