Azure Entra ID 应用程序注册无法将自定义声明添加到访问令牌

问题描述 投票:0回答:1

我已经创建了一个应用程序注册,并希望将一些自定义声明添加到我的 JWT 访问令牌中。 我已按照 https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims 的说明进行操作,但不知何故我一定犯了一个错误,因为我无法在 JWT 访问中获得任何额外的声明令牌(我通过 Postman 请求并使用 https://jwt.io 检查数据)。

我尝试通过天蓝色门户添加自定义声明,但我的 JWT 未添加这些值 我使用了范围并使用:User.Read openid profile 但更改这些值也没有改变任何内容。

她是我的清单示例:

{
    "id": "cfdb05a2-357b-4e52-8f68-7a4a48a45256",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": true,
    "appId": "19eccd56-b192-450d-820c-77a353d1fd7c",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2024-04-22T14:31:19Z",
    "description": null,
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": "None",
    "identifierUris": [
        "api://19eccd56-b192-450d-820c-77a353d1fd7c"
    ],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "TEST_APP_SAML",
    "notes": null,
    "oauth2AllowIdTokenImplicitFlow": true,
    "oauth2AllowImplicitFlow": true,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": {
        "idToken": [
            {
                "name": "tenant_region_scope",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "verified_primary_email",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "verified_secondary_email",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "vnet",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "ctry",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "tenant_ctry",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "xms_pdl",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "xms_pl",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "xms_tpl",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "ztdid",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "upn",
                "source": null,
                "essential": false,
                "additionalProperties": [
                    "include_externally_authenticated_upn"
                ]
            },
            {
                "name": "xms_cc",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "accessToken": [
            {
                "name": "ctry",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "tenant_ctry",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "ztdid",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "upn",
                "source": null,
                "essential": false,
                "additionalProperties": [
                    "include_externally_authenticated_upn"
                ]
            },
            {
                "name": "login_hint",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "saml2Token": []
    },
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [],
    "preAuthorizedApplications": [],
    "publisherDomain": "andreasweier85gmail.onmicrosoft.com",
    "replyUrlsWithType": [
        {
            "url": "https://jwt.ms",
            "type": "InstalledClient"
        },
        {
            "url": "https://login.microsoftonline.com/common/oauth2/nativeclient",
            "type": "InstalledClient"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "14dad69e-099b-42c9-810b-d002981feec1",
                    "type": "Scope"
                },
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "00eda80b-051a-46ab-940f-2bbdc3dabeec",
            "resourceAccess": [
                {
                    "id": "4d2e19f0-3525-4517-9e7d-48f0411b4395",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADMultipleOrgs",
    "tags": [
        "apiConsumer",
        "singlePageApp"
    ],
    "tokenEncryptionKeyId": null
}
azure jwt access-token claims azure-entra-id
1个回答
0
投票

在您的可选声明中,您没有指定来源。当来源为 

null
时,Microsoft 身份平台不知道从哪里获取信息。因此,该声明完全从令牌中省略。

name
:声明的名称将出现在身份平台返回的令牌中。

source
:Entra ID 用户配置文件属性或目录扩展,应由身份验证用户读取。您可以使用 OOB 属性,例如 userPrincipalName。或者,您可以使用扩展(自定义)属性。对于自定义属性,例如使用 vnet,您应该已经扩展了目录架构并为用户分配了值。

essential
:如果无法获取用户的source值,则告诉服务器认证失败。您已设置为 false,这很好。

additionalProperties
:允许您根据指定的标准、条件和参数验证、过滤和转换声明值。 include_externally_authenticated_upn 在我看来不是有效的附加属性字段。

那么,让我们看一个示例,您希望将用户主体名称作为名称为 upn 的声明返回。

              {
                "name": "upn",
                "source": userPrincpalName,
                "essential": false,
                "additionalProperties": []
              }

这里我们使用名称“upn”来指定返回声明名称,以及源userPrincipalName,因为这是Entra中属性的名称。

如果您使用目录扩展中的自定义属性,请确保已应用该扩展。

https://learn.microsoft.com/en-us/entra/identity/domain-services/concepts-custom-attributes

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.