我已经创建了一个应用程序注册,并希望将一些自定义声明添加到我的 JWT 访问令牌中。 我已按照 https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims 的说明进行操作,但不知何故我一定犯了一个错误,因为我无法在 JWT 访问中获得任何额外的声明令牌(我通过 Postman 请求并使用 https://jwt.io 检查数据)。
我尝试通过天蓝色门户添加自定义声明,但我的 JWT 未添加这些值 我使用了范围并使用:User.Read openid profile 但更改这些值也没有改变任何内容。
她是我的清单示例:
{
"id": "cfdb05a2-357b-4e52-8f68-7a4a48a45256",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": true,
"appId": "19eccd56-b192-450d-820c-77a353d1fd7c",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2024-04-22T14:31:19Z",
"description": null,
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": "None",
"identifierUris": [
"api://19eccd56-b192-450d-820c-77a353d1fd7c"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "TEST_APP_SAML",
"notes": null,
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": {
"idToken": [
{
"name": "tenant_region_scope",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "verified_primary_email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "verified_secondary_email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "vnet",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "ctry",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "tenant_ctry",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "xms_pdl",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "xms_pl",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "xms_tpl",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "ztdid",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "upn",
"source": null,
"essential": false,
"additionalProperties": [
"include_externally_authenticated_upn"
]
},
{
"name": "xms_cc",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"accessToken": [
{
"name": "ctry",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "tenant_ctry",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "ztdid",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "upn",
"source": null,
"essential": false,
"additionalProperties": [
"include_externally_authenticated_upn"
]
},
{
"name": "login_hint",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"saml2Token": []
},
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [],
"publisherDomain": "andreasweier85gmail.onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "https://jwt.ms",
"type": "InstalledClient"
},
{
"url": "https://login.microsoftonline.com/common/oauth2/nativeclient",
"type": "InstalledClient"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "14dad69e-099b-42c9-810b-d002981feec1",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
},
{
"resourceAppId": "00eda80b-051a-46ab-940f-2bbdc3dabeec",
"resourceAccess": [
{
"id": "4d2e19f0-3525-4517-9e7d-48f0411b4395",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMultipleOrgs",
"tags": [
"apiConsumer",
"singlePageApp"
],
"tokenEncryptionKeyId": null
}
在您的可选声明中,您没有指定来源。当来源为
null
时,Microsoft 身份平台不知道从哪里获取信息。因此,该声明完全从令牌中省略。
name
:声明的名称将出现在身份平台返回的令牌中。
source
:Entra ID 用户配置文件属性或目录扩展,应由身份验证用户读取。您可以使用 OOB 属性,例如 userPrincipalName。或者,您可以使用扩展(自定义)属性。对于自定义属性,例如使用 vnet,您应该已经扩展了目录架构并为用户分配了值。
essential
:如果无法获取用户的source值,则告诉服务器认证失败。您已设置为 false,这很好。
additionalProperties
:允许您根据指定的标准、条件和参数验证、过滤和转换声明值。 include_externally_authenticated_upn 在我看来不是有效的附加属性字段。
那么,让我们看一个示例,您希望将用户主体名称作为名称为 upn 的声明返回。
{
"name": "upn",
"source": userPrincpalName,
"essential": false,
"additionalProperties": []
}
这里我们使用名称“upn”来指定返回声明名称,以及源userPrincipalName,因为这是Entra中属性的名称。
如果您使用目录扩展中的自定义属性,请确保已应用该扩展。
https://learn.microsoft.com/en-us/entra/identity/domain-services/concepts-custom-attributes