MSAL.JS 返回的令牌包含 none 的可选声明
Tokens returned by MSAL.JS contain none of the optional claims
设置如下:
- 连接到后端的 SPA 网络应用 API。它应该登录用户,向 API 请求 access_token 并在所有请求中使用它。将其命名为 应用程序。
- 后端 API 应该接收 access_tokens 并根据其中包含的
groups 声明授权用户。称之为 API.
Azure AD端的配置:
- 应用程序配置了重定向 URI,并获得了 API(API.User 范围)的 API 权限。
- 后端公开 API.User 范围并将应用程序授权为授权客户端应用程序。
现在,为了获得 groups 声明,我已将其添加到两个应用程序的令牌配置中。由于它不起作用,我去添加了一些更多的可选声明,以查看是否有任何声明被退回。他们不是。清单的相关部分如下所示:
"groupMembershipClaims": "All",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"optionalClaims": {
"idToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "nickname",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"accessToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "nickname",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"saml2Token": [
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
}
]
}
两个应用程序注册配置相同(关于上述值)。
获取令牌的前端代码:
msalInstance = new Msal.UserAgentApplication(
{
auth: {
clientId: <the Application's client id>
}
}
);
this.msalInstance.handleRedirectCallback((error, response) => {
console.warn("In handleRedirectCallback");
console.warn(JSON.stringify(error));
console.warn(JSON.stringify(response));
});
if (this.msalInstance.getAccount()) {
const request = {
scopes: ['api://<the API client id>/API.User']
}
this.msalInstance.acquireTokenSilent(request)
.then(response => {
console.warn("In acquireTokenSilent then");
console.warn(JSON.stringify(response));
})
.catch(err => {
if (err.name === 'InteractionRequiredAuthError') {
return this.msalInstance.acquireTokenRedirect(request);
}
});
}
else {
const request = {
scopes: ['user.read', 'email', 'openid', 'profile']
};
this.msalInstance.loginRedirect(request);
}
我显然做错了什么,因为所有 access_token 和 id_tokens 都具有相同的布局,完全独立于我对应用程序注册或 request.scopes 所做的任何更改。我看到 MSAL 请求有一个 claimsRequest 字段,但它没有记录,我不知道应该放在那里什么。 MSDN docs 听起来好像我需要做的就是配置应用程序注册,声明将附加到检索到的令牌,但显然不是这样。
我还需要配置什么才能获得 groups 声明吗?
编辑:
示例 id_token 我得到的布局:
{
"aud": "api://<the Application client id>",
"iss": "https://login.microsoftonline.com/<the Tenant id>/",
"iat": 1585052362,
"nbf": 1585052362,
"exp": 1585056262,
"aio": <Azure AD opaque string>,
"given_name": "<My first name>",
"hasgroups": "true",
"name": "<My account name>",
"nonce": <some guid>,
"oid": "<my account OID>",
"preferred_username": "<my email>",
"sub": <...>,
"tid": "<the tenant id>",
"uti": <Azure AD opaque string>,
"ver": "2.0"
}
示例access_token 我得到:
{
"aud": "api://<the Application client id>",
"iss": "https://sts.windows.net/<the Tenant id>/",
"iat": 1585052365,
"nbf": 1585052365,
"exp": 1585056265,
"acr": "1",
"aio": <Azure AD opaque string>,
"appid": "<the Application client id>",
"appidacr": "0",
"family_name": <my last name>,
"given_name": <my first name>,
"hasgroups": "true",
"ipaddr": <my ip addr>,
"name": <my account name>,
"oid": <my account oid>,
"onprem_sid": <not sure what this is, but some identifier>,
"scp": "API.User",
"sub": <...>,
"tid": <the tenant ID>,
"unique_name": <my email>,
"upn": <my email>,
"uti": <Azure AD opaque string>,
"ver": "1.0"
}
既然你评论说你得到了 hasgroups 声明,这意味着这些组很可能没有包含在令牌中,因为大小限制。
该声明记录在此处:https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens.
那里的相关引述:
If present, always true, denoting the user is in at least one group. Used in place of the groups claim for JWTs in implicit grant flows if the full groups claim would extend the URI fragment beyond the URL length limits (currently 6 or more groups)
所以5是隐式流量的最大值。
例如,最大值为 200。授权代码流。
设置如下:
- 连接到后端的 SPA 网络应用 API。它应该登录用户,向 API 请求 access_token 并在所有请求中使用它。将其命名为 应用程序。
- 后端 API 应该接收 access_tokens 并根据其中包含的
groups声明授权用户。称之为 API.
Azure AD端的配置:
- 应用程序配置了重定向 URI,并获得了 API(API.User 范围)的 API 权限。
- 后端公开 API.User 范围并将应用程序授权为授权客户端应用程序。
现在,为了获得 groups 声明,我已将其添加到两个应用程序的令牌配置中。由于它不起作用,我去添加了一些更多的可选声明,以查看是否有任何声明被退回。他们不是。清单的相关部分如下所示:
"groupMembershipClaims": "All",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"optionalClaims": {
"idToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "nickname",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"accessToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "nickname",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"saml2Token": [
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
}
]
}
两个应用程序注册配置相同(关于上述值)。
获取令牌的前端代码:
msalInstance = new Msal.UserAgentApplication(
{
auth: {
clientId: <the Application's client id>
}
}
);
this.msalInstance.handleRedirectCallback((error, response) => {
console.warn("In handleRedirectCallback");
console.warn(JSON.stringify(error));
console.warn(JSON.stringify(response));
});
if (this.msalInstance.getAccount()) {
const request = {
scopes: ['api://<the API client id>/API.User']
}
this.msalInstance.acquireTokenSilent(request)
.then(response => {
console.warn("In acquireTokenSilent then");
console.warn(JSON.stringify(response));
})
.catch(err => {
if (err.name === 'InteractionRequiredAuthError') {
return this.msalInstance.acquireTokenRedirect(request);
}
});
}
else {
const request = {
scopes: ['user.read', 'email', 'openid', 'profile']
};
this.msalInstance.loginRedirect(request);
}
我显然做错了什么,因为所有 access_token 和 id_tokens 都具有相同的布局,完全独立于我对应用程序注册或 request.scopes 所做的任何更改。我看到 MSAL 请求有一个 claimsRequest 字段,但它没有记录,我不知道应该放在那里什么。 MSDN docs 听起来好像我需要做的就是配置应用程序注册,声明将附加到检索到的令牌,但显然不是这样。
我还需要配置什么才能获得 groups 声明吗?
编辑:
示例 id_token 我得到的布局:
{
"aud": "api://<the Application client id>",
"iss": "https://login.microsoftonline.com/<the Tenant id>/",
"iat": 1585052362,
"nbf": 1585052362,
"exp": 1585056262,
"aio": <Azure AD opaque string>,
"given_name": "<My first name>",
"hasgroups": "true",
"name": "<My account name>",
"nonce": <some guid>,
"oid": "<my account OID>",
"preferred_username": "<my email>",
"sub": <...>,
"tid": "<the tenant id>",
"uti": <Azure AD opaque string>,
"ver": "2.0"
}
示例access_token 我得到:
{
"aud": "api://<the Application client id>",
"iss": "https://sts.windows.net/<the Tenant id>/",
"iat": 1585052365,
"nbf": 1585052365,
"exp": 1585056265,
"acr": "1",
"aio": <Azure AD opaque string>,
"appid": "<the Application client id>",
"appidacr": "0",
"family_name": <my last name>,
"given_name": <my first name>,
"hasgroups": "true",
"ipaddr": <my ip addr>,
"name": <my account name>,
"oid": <my account oid>,
"onprem_sid": <not sure what this is, but some identifier>,
"scp": "API.User",
"sub": <...>,
"tid": <the tenant ID>,
"unique_name": <my email>,
"upn": <my email>,
"uti": <Azure AD opaque string>,
"ver": "1.0"
}
既然你评论说你得到了 hasgroups 声明,这意味着这些组很可能没有包含在令牌中,因为大小限制。
该声明记录在此处:https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens.
那里的相关引述:
If present, always true, denoting the user is in at least one group. Used in place of the groups claim for JWTs in implicit grant flows if the full groups claim would extend the URI fragment beyond the URL length limits (currently 6 or more groups)
所以5是隐式流量的最大值。 例如,最大值为 200。授权代码流。