Azure AD:访问令牌中缺少角色声明 [英] Azure AD: Roles claims missing in access token
问题描述
对于我的应用程序,我希望用户能够使用他们的 Azure 帐户登录(单点登录).我还需要一个访问令牌来访问安全后端.所以我可以同时获得 id_token 和 access_token,请求这个 url:
For my application, I want users to be able to sign in with their Azure Account (Single Sign On). I also need an access token to access the secured backend.
So I can get both, the id_token and the access_token, with a request to this url:
https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token+token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&resource=MY_CLIENT_ID&nonce=SOME_NONCE
这基本上有效,但我也希望在访问令牌(和 id 令牌)中有角色,但角色不包括在我收到的令牌中.
This basically works, but I also want to have the roles in the access token (and in the id token), but the roles are not included in the tokens I receive.
当我使用此 Url 仅获取 id_token 时,包含角色声明:
When I use this Url to only get an id_token, the role claims are included:
https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&nonce=SOME_NONCE
不同之处在于我只请求 id_token 而不是 token,我省略了 resource 参数.
The difference is I request only the id_token and not the token and I leave out the resource parameter.
我的问题是:为什么第一个请求的令牌中没有包含角色声明?获取带有角色声明的 id_token 和 access_token 的选项有哪些?
My questions are: Why are the role claims not included in the tokens of the first request? What are my options to get id_token and the access_token with the roles claims?
这是 approles 在应用清单中的定义方式:
edit: This is how the approles are defined in the app's manifest:
{
"appId": "MY_CLIENT_ID",
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Admin",
"id": "c200e304-fff3-49f1-a4df-e406741ea690",
"isEnabled": true,
"description": "Bla bla",
"value": "admin"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "Reader",
"id": "c534f351-b343-48d0-9dd7-ecb4c5cb402d",
"isEnabled": true,
"description": "Bla bla",
"value": "reader"
}
],
"availableToOtherTenants": false,
...
}
推荐答案
我也可以重现该问题.不确定这是错误还是设计使然,我发现只有在我们为应用程序自身获取令牌时才会出现此问题.例如,如果我们将资源替换为 Azure AD Graph,则可以在 id_token 中成功发布角色声明.
I can also reproduce the issue. Not sure this a bug or by design and I found this issue only occur when we acquire the token for the app self. For example, if we replace the resource with Azure AD Graph, the role claims could issued in the id_token successfully.
作为解决此问题的方法,我建议您在第一个请求中获取 id_token.然后您可以使用 adal 库获取 iframe 中的访问令牌,无需用户交互,因为用户已经登录.
As a workaround for this issue, I suggest that you acquire the id_token in the first request. And then you can acquire the access token in the iframe using adal library without user interaction since the users already sign-in.
这篇关于Azure AD:访问令牌中缺少角色声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
