我们有在MEAN堆栈中开发的应用程序。我们使用adal-agular库进行天蓝色广告认证。按照documentation and sampleAzure AD:如何获取令牌中的组信息?
Adal.js使用OAuth隐式流与Azure AD进行通信。您必须为您的应用程序启用隐式流程。
然而,当我们使隐式流动,天青AD 不包括在令牌中的组信息。这个问题已经讨论了详细here和@vibronet
问题
Azure的AD功能已几乎每天不断变化的证实,因此有上述答案是否仍然有效?我们是否仍然需要启用应用程序的隐式流程?我想在令牌组信息(我不想使用图形API作为一个解决方案。)
另一个原因,我问这个问题,因为我禁用隐含的流量和用户仍然能够访问应用。不过,我仍然看不到组中的信息。
不可能没有调用从BE图:
这里是讨论:https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/239
如果hasgroups要求在id_token不存在 - 从id_token获得团体。 如果存在 - 调用在Azure AD 2.0端点图形
实施例:确实发出安全组隐式流动
using Microsoft.Identity.Client;
...
//Obtaining the Access Token By Id Token...
var redirectUri = "http://localhost";
var authority = @"https://login.microsoftonline.com/common/v2.0";
var clientId = "00000000-0000-0000-0000-000000000000";
var userObjectId = "00000000-0000-0000-0000-000000000000"; //from id_token
var idToken = "ey-- ID Token from the JS Side";
var appKey = "Client Secret here";
var cc = new ClientCredential(appKey);
var cca = new ConfidentialClientApplication(clientId, authority, redirectUri, cc, null, null);
var ua = new UserAssertion(idToken, "urn:ietf:params:oauth:grant-type:jwt-bearer");
var authResult = await cca.AcquireTokenOnBehalfOfAsync(new[] { "User.Read", "Group.Read.All" }, ua); //Make sure - here is one user consented scope (shuld be requested from the FronEnd side) and one - admin consented
var accessToken = authResult.AccessToken;
// And then calling the MS Graph...
var requestUrl = $"https://graph.microsoft.com/v1.0/users/{userObjectId}/getMemberGroups";
// Prepare and Make the POST request
HttpResponseMessage response;
using (var client = new HttpClient())
{
using (var request = new HttpRequestMessage(HttpMethod.Post, requestUrl))
{
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var content = new StringContent("{\"securityEnabledOnly\": \"true\"}");
content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
request.Content = content;
response = await client.SendAsync(request);
}
}
var groupObjectIds = new List<string>();
// Endpoint returns JSON with an array of Group ObjectIDs
if (response.IsSuccessStatusCode)
{
var responseContent = await response.Content.ReadAsStringAsync();
var groupsResult = Json.Decode(responseContent).value;
foreach (string groupObjectId in groupsResult)
groupObjectIds.Add(groupObjectId);
}
return groupObjectIds;
天青AAD JWT。 在申请登记清单,设定"groupMembershipClaims": "SecurityGroup",
然后在您的服务器:
var groups = new List<string>();
ClaimsPrincipal.Current.Claims.Where(t => t.Type == "groups")
.ForEach(g => groups.Add(g.Value));
不需要GraphApi
https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims
你能在应用程序清单组索赔?为了避免使用GraphAPI,您如何保证您的用户永远不会拥有比标记中允许的最大值更多的组? –
假设这也是你:https://social.msdn.microsoft.com/Forums/en-US/2b49109b-b98a-4b54-b644-43d623a7d36a/azure-ad-jwt-token-is-missing-group-information ?forum = WindowsAzureAD,我看你有。你有没有看过原始的'id_token'(例如jwt.io等)? –
@PhilippeSignoret是的,那就是我。不知道如果azure从未在令牌中包含这些信息,jwt.io会如何帮助我。此外,我们正在使用服务器上的“passport-azure-ad”来分析和验证令牌 – LP13