AAD 组声称某些用户的 JWT 令牌中缺失 [英] AAD groups claim missing in JWT token for some users

问题描述

我在 AAD 上遇到了一些奇怪的行为.在用户成功登录后，我们的 API 调用中的某些用户会收到未经授权的请求.事实证明，JWT 中的声明丢失了.一些用户正在获得组"声明(他所属的所有 groupId 的数组)，而有些用户正在获得hasgroups"声明(如果用户有组，则为布尔值，没有 ID).由于我们的 API 应用正在检查此组"声明以获得授权，因此没有此组"声明的用户会收到 403.

I'm experiencing some strange behavior on our AAD. After a user signed in successful, we're getting an unauthorized for some users on our API calls. Turns out that a claim in the JWT is missing. Some users are getting the "groups" claim (array of all groupIds he belongs to) and some are getting the "hasgroups" claim (a boolean if the user has groups, no Ids). As our API app is checking this "groups" claim for authorization, the users who don't have this "groups" claim are getting a 403.‬

尽管如此，在应用注册的清单中，我将groupMembershipClaims"从null"设置为All"或SecurityGroup"，这应该可以解决问题.还要将oauth2AllowImplicitFlow"设置为 true，因为我们正在使用使用 OAuth2 的 Angular 应用程序.接下来我比较了几乎所有的用户设置，除了一些额外的组之外，用户是相同的.受影响的用户没有很多组，有些甚至最多有 5 个组.

‪Nevertheless, in the manifest of the app registration I set the "groupMembershipClaims" from "null" to "All" or "SecurityGroup", which should do both the trick. Also set the "oauth2AllowImplicitFlow" to true as we're working with an Angular app which uses OAuth2. Next to that I've compared almost all users settings and apart from some extra groups the users are identical.‬ The affected users don't have a lot of groups, some have even around the 5 groups at max.

我是否忽略了某些内容或导致声明差异的原因?我该如何解决这个问题，以便所有用户都获得群组"声明?

Do I overlook something or what's causing this difference in claims? How can I solve this so all users are getting the "groups" claim?

推荐答案

从微软内部得到这个反馈:

Got this feedback from MSFT internals:

在隐式流程中，oauth 将直接从通过查询字符串参数进行初始/授权调用.http规范限制查询字符串/url 的长度，因此如果 AAD 检测到结果 URI 将超过此长度，它们将替换组使用 hasGroups 声明.

In the implicit flow, oauth will return the Jwt directly from the intial /authorize call through a query string param. The http spec limits the length of a query string / url, so if AAD detects that the resulting URI would be exceeding this length, they replace the groups with the hasGroups claim.

还有这个

这是在使用隐式授权流时设计的，无论清单中的groupMembershipClaims"设置.是为了避免走超过浏览器的 URL 长度限制，因为令牌以URI 片段.因此，或多或少在 4 个用户组成员身份之后，您将在令牌中获得hasgroups:true".你可以做的是做一个单独调用 Graph API 以查询用户组会员资格.

This is by design when using implicit grant flow, regardless the "groupMembershipClaims" setting in the manifest. It's to avoid to go over the URL length limit of the browser as the token is returned as a URI fragment. So, more or less after 4 user's groups membership, you'll get "hasgroups:true" in the token. What you can do is to make a separate call to the Graph API to query for the user's group membership.

因此需要额外往返于 Graph API 以获取用户组.希望这对其他人也有帮助.

So will need to do an extra roundtrip to Graph API in order to get the user groups. Hope this helps others too.

这篇关于AAD 组声称某些用户的 JWT 令牌中缺失的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！