无法在 Azure AD 的 access_token 中获取电子邮件声明
Can't get email claim in access_token in Azure AD
我们已经为 Azure 中的 SPA 配置了应用程序注册,用于授权代码流。
我们在可选声明下添加了电子邮件,如下所示:
清单文件配置如下:
{
"id": "<redacted>",
"acceptMappedClaims": true,
"accessTokenAcceptedVersion": 1,
"addIns": [],
"allowPublicClient": null,
"appId": "<redacted>",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-12-03T10:30:07Z",
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": "None",
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "<redacted>",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": {
"idToken": [],
"accessToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"saml2Token": []
},
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [],
"publisherDomain": "<redacted>",
"replyUrlsWithType": [
{
"url": "https://localhost:44338",
"type": "Spa"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "<redacted>",
"resourceAccess": [
{
"id": "<redacted>",
"type": "Scope"
},
{
"id": "<redacted>",
"type": "Scope"
},
{
"id": "<redacted>",
"type": "Scope"
}
]
},
{
"resourceAppId": "<redacted>",
"resourceAccess": [
{
"id": "<redacted>",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null
}
我们已将电子邮件添加到权限中:
最后在客户端,我使用 MSAL 浏览器启动身份验证,提供的范围如下:
但是,我一辈子都弄不明白为什么电子邮件声明没有出现在 access_token
请参阅v1.0 and v2.0 optional claims set。
When adding claims to the access token, the claims apply to access
tokens requested for the application (a web API), not claims requested
by the application.
表示你email
声称适用于你调用自己的webAPI的场景,而不是调用Microsoft GraphAPI。
您可以在 Protected web API: App registration 中查看详细信息。
您应该在代表 Web API 的 Azure AD 应用程序中配置 email
可选声明,而不是代表客户端的 Azure AD 应用程序。然后,当您请求该 API 的访问令牌时,email
声明将存在于访问令牌中。
在请求中设置 scope=api://{app id of the AAD app which represents the web api}/.default openid
而不是 scope=http://graph.microsoft.com/.default openid
。
因此,对于调用 Microsoft Graph API,您不能直接使用内置的 email
可选声明。您需要通过调用 Microsoft Graph GET https://graph.microsoft.com/v1.0/me/
或在访问令牌中使用另一个声明 upn
来查询电子邮件。
我们已经为 Azure 中的 SPA 配置了应用程序注册,用于授权代码流。
我们在可选声明下添加了电子邮件,如下所示:
清单文件配置如下:
{
"id": "<redacted>",
"acceptMappedClaims": true,
"accessTokenAcceptedVersion": 1,
"addIns": [],
"allowPublicClient": null,
"appId": "<redacted>",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-12-03T10:30:07Z",
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": "None",
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "<redacted>",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": {
"idToken": [],
"accessToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"saml2Token": []
},
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [],
"publisherDomain": "<redacted>",
"replyUrlsWithType": [
{
"url": "https://localhost:44338",
"type": "Spa"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "<redacted>",
"resourceAccess": [
{
"id": "<redacted>",
"type": "Scope"
},
{
"id": "<redacted>",
"type": "Scope"
},
{
"id": "<redacted>",
"type": "Scope"
}
]
},
{
"resourceAppId": "<redacted>",
"resourceAccess": [
{
"id": "<redacted>",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null
}
我们已将电子邮件添加到权限中:
最后在客户端,我使用 MSAL 浏览器启动身份验证,提供的范围如下:
但是,我一辈子都弄不明白为什么电子邮件声明没有出现在 access_token
请参阅v1.0 and v2.0 optional claims set。
When adding claims to the access token, the claims apply to access tokens requested for the application (a web API), not claims requested by the application.
表示你email
声称适用于你调用自己的webAPI的场景,而不是调用Microsoft GraphAPI。
您可以在 Protected web API: App registration 中查看详细信息。
您应该在代表 Web API 的 Azure AD 应用程序中配置 email
可选声明,而不是代表客户端的 Azure AD 应用程序。然后,当您请求该 API 的访问令牌时,email
声明将存在于访问令牌中。
在请求中设置 scope=api://{app id of the AAD app which represents the web api}/.default openid
而不是 scope=http://graph.microsoft.com/.default openid
。
因此,对于调用 Microsoft Graph API,您不能直接使用内置的 email
可选声明。您需要通过调用 Microsoft Graph GET https://graph.microsoft.com/v1.0/me/
或在访问令牌中使用另一个声明 upn
来查询电子邮件。