AAD B2C - 使用 ConfidentialClientApplicationBuilder 和客户端机密获取令牌时的主题(子)是什么?
AAD B2C - What is the subject (sub) when getting a token with ConfidentialClientApplicationBuilder and a client secret?
在我的客户端应用程序中,我通过
获得了应用程序的令牌
IConfidentialClientApplication espaceClientApp;
espaceClientApp = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantId)
.WithClientSecret(clientSecret)
.Build();
espaceClientApp.AddInMemoryTokenCache();
AuthenticationResult authResult = await espaceClientApp.AcquireTokenForClient(new[] {
$"{validAudience}/.default"
}).ExecuteAsync();
然后我得到了一个 oauth 令牌,但我不知道“sub”声明在 B2C 中对应的值是什么?我认为它可能是受众 ID,但我没有在我的 AAD B2C 门户中看到它。没有应用程序具有我在令牌中获得的 ID。可能与“Expose an API”菜单中的URI有关?事实上,我使用了自定义名称 URI 而不是默认定义的名称(Guid)。我认为这个 Guid 是我在“子”声明中得到的。如果是这样,我如何在 B2C 仪表板或图表中检索 Guid API?
主题声明是实体(通常是用户)对于用户而言是唯一的(唯一标识用户。
) 以及令牌所针对的服务。对象 ID 是其默认值(可能是服务主体的对象 ID),即名称 ID 而不是应用程序 ID。
根据 Microsoft 文档 azure active directory id tokens .
When identifying a user (or looking for them in a database, or deciding what permissions they have), it's critical to use
information that will remain constant and unique across time.
Instead, the claims provided by the OIDC standard, or the extension >claims provided by Microsoft - the sub and oid claims are used as GUIDs are unique.
The sub claim in the Microsoft identity platform is "pair-wise" - it
is unique based on a combination of the token recipient, tenant, and
user. Therefore, two apps that request ID tokens for a given user will
receive different sub claims, but the same oid claims for that user.
The sub claim contains a unique, immutable identifier for the user for
that one app. Its value is different in other apps for the same user.
So it is possibly computed based on some other identifiers.This value
is immutable and cannot be reassigned or reused
ID Token 和 Access Token 也会不同。
Note: ID Token audience/sub is the client app where the user is
signing in, and the Access Token audience is the resource server the
client app will attempt to access (on behalf of the signed-in user).
也许我们找不到它,但 sub 声明可用于在应用程序中唯一标识用户。
'sub' 映射到 'schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'
映射集在包或程序集中定义System.IdentityModel.Tokens.Jwt;这里:github.com-System.IdentityModel.Tokens.Jwt/ClaimTypeMapping/AzureAD/
请检查:
参考文献:
在我的客户端应用程序中,我通过
获得了应用程序的令牌IConfidentialClientApplication espaceClientApp;
espaceClientApp = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantId)
.WithClientSecret(clientSecret)
.Build();
espaceClientApp.AddInMemoryTokenCache();
AuthenticationResult authResult = await espaceClientApp.AcquireTokenForClient(new[] {
$"{validAudience}/.default"
}).ExecuteAsync();
然后我得到了一个 oauth 令牌,但我不知道“sub”声明在 B2C 中对应的值是什么?我认为它可能是受众 ID,但我没有在我的 AAD B2C 门户中看到它。没有应用程序具有我在令牌中获得的 ID。可能与“Expose an API”菜单中的URI有关?事实上,我使用了自定义名称 URI 而不是默认定义的名称(Guid)。我认为这个 Guid 是我在“子”声明中得到的。如果是这样,我如何在 B2C 仪表板或图表中检索 Guid API?
主题声明是实体(通常是用户)对于用户而言是唯一的(唯一标识用户。 ) 以及令牌所针对的服务。对象 ID 是其默认值(可能是服务主体的对象 ID),即名称 ID 而不是应用程序 ID。
根据 Microsoft 文档 azure active directory id tokens .
When identifying a user (or looking for them in a database, or deciding what permissions they have), it's critical to use
information that will remain constant and unique across time.Instead, the claims provided by the OIDC standard, or the extension >claims provided by Microsoft - the sub and oid claims are used as GUIDs are unique.
The sub claim in the Microsoft identity platform is "pair-wise" - it is unique based on a combination of the token recipient, tenant, and user. Therefore, two apps that request ID tokens for a given user will receive different sub claims, but the same oid claims for that user.
The sub claim contains a unique, immutable identifier for the user for that one app. Its value is different in other apps for the same user. So it is possibly computed based on some other identifiers.This value is immutable and cannot be reassigned or reused
ID Token 和 Access Token 也会不同。
Note: ID Token audience/sub is the client app where the user is signing in, and the Access Token audience is the resource server the client app will attempt to access (on behalf of the signed-in user).
也许我们找不到它,但 sub 声明可用于在应用程序中唯一标识用户。
'sub' 映射到 'schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'
映射集在包或程序集中定义System.IdentityModel.Tokens.Jwt;这里:github.com-System.IdentityModel.Tokens.Jwt/ClaimTypeMapping/AzureAD/
请检查:
参考文献: