Azure AD B2C - "Username" 未提供用户名声明的本地 IDP
Azure AD B2C - Local IDP with "Username" not providing username claim
我已将身份提供者配置为使用具有用户名而不是密码的本地帐户。
我创建了一个具有显示名称、用户名和电子邮件的用户。
我可以 select "Display Name" 和 "Email Address" 申请所有保单索赔,但 "User Name" 不是一个选项。我还确认没有向我的应用程序提供用户名声明。
如何配置 Azure AD B2C 以使其提供用户名声明?
不幸的是,用户名尚无法选择作为在令牌中传递的声明。您应该在 Azure AD B2C UserVoice 论坛中为这个问题投票以帮助确定它的优先级:Include username in JWT claims
这次你唯一的选择是通过图表自己检索它。
这里有一段 .Net 代码 的快速粗略片段,您可以将其用于此目的:
private async Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
try
{
var userObjectId = notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value;
// You'll need to register a separate app for this.
// This app will need APPLICATION (not Delegated) Directory.Read permissions
// Check out this link for more info:
// https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
var authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(string.Format(graphAuthority, tenant));
var t = await authContext.AcquireTokenAsync(graphResource, new ClientCredential(graphClientId, graphClientSecret));
string result;
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Add("Authorization", "Bearer " + t.AccessToken);
var url = graphResource + tenant + "/users/" + userObjectId + "/?api-version=1.6";
result = await client.GetStringAsync(url);
}
var jsonResult = JObject.Parse(result);
var username = jsonResult["signInNames"].FirstOrDefault(j => j["type"].ToString() == "userName")?["value"]?.ToString();
notification.AuthenticationTicket.Identity.AddClaim(new Claim("username", username));
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
}
您将在设置 OpenIdConnectAuthenticationOptions 时引用此方法,如下所示:
new OpenIdConnectAuthenticationOptions
{
// (...)
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
SecurityTokenValidated = OnSecurityTokenValidated,
},
// (...)
};
我已将身份提供者配置为使用具有用户名而不是密码的本地帐户。
我创建了一个具有显示名称、用户名和电子邮件的用户。
我可以 select "Display Name" 和 "Email Address" 申请所有保单索赔,但 "User Name" 不是一个选项。我还确认没有向我的应用程序提供用户名声明。
如何配置 Azure AD B2C 以使其提供用户名声明?
不幸的是,用户名尚无法选择作为在令牌中传递的声明。您应该在 Azure AD B2C UserVoice 论坛中为这个问题投票以帮助确定它的优先级:Include username in JWT claims
这次你唯一的选择是通过图表自己检索它。
这里有一段 .Net 代码 的快速粗略片段,您可以将其用于此目的:
private async Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
try
{
var userObjectId = notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value;
// You'll need to register a separate app for this.
// This app will need APPLICATION (not Delegated) Directory.Read permissions
// Check out this link for more info:
// https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
var authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(string.Format(graphAuthority, tenant));
var t = await authContext.AcquireTokenAsync(graphResource, new ClientCredential(graphClientId, graphClientSecret));
string result;
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Add("Authorization", "Bearer " + t.AccessToken);
var url = graphResource + tenant + "/users/" + userObjectId + "/?api-version=1.6";
result = await client.GetStringAsync(url);
}
var jsonResult = JObject.Parse(result);
var username = jsonResult["signInNames"].FirstOrDefault(j => j["type"].ToString() == "userName")?["value"]?.ToString();
notification.AuthenticationTicket.Identity.AddClaim(new Claim("username", username));
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
}
您将在设置 OpenIdConnectAuthenticationOptions 时引用此方法,如下所示:
new OpenIdConnectAuthenticationOptions
{
// (...)
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
SecurityTokenValidated = OnSecurityTokenValidated,
},
// (...)
};