场景:我使用Angular 5作为前端,.NET核2.0作为后端,MSAL.js使用Angular SPA中的Azure AD B2C进行身份验证,然后使用返回的id_token
作为Bearer Token将请求发送到WebAPI端点。
我已经成功地将多租户Azure AD设置为Azure AD B2C中的提供程序(遵循此处Multi-tenant Azure AD in Azure AD B2C的答案),但在返回的id_token
中,没有对电子邮件地址的声明。注意:如果我配置单租户Azure AD,我会收到类型为http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
的电子邮件地址声明,但无法使用多租户AD。
我相信限制是在这里提到的Azure AD v2.0:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations
问题:登录后如何检索用户的电子邮件地址。
我按照本文中的指南https://monteledwards.com/2017/10/18/a-complete-integration-azure-ad-b2c-azure-ad-graph-api-logic-apps/添加了一个额外的逻辑应用程序来解析来自id_token
的电子邮件,但我的问题是我没有objectId
回来。
在成功验证后我得到的声明是:
iss - https://login.microsoftonline.com/<My-B2C-Tenant-Id>/v2.0/
exp - ticks
nbf - ticks
aud - My-B2C-App-Id
name - string
http://schemas.microsoft.com/identity/claims/identityprovider - tid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier - My-B2C-App-Id
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - string
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname - string
nonce - GUID
http://schemas.microsoft.com/identity/claims/scope - User.Read
azp - GUID
ver - 1.0
iat - ticks
我的多租户Azure AD技术配置文件 - > Azure AD B2C是:
<TechnicalProfile Id="AzureADAccountProfile">
<DisplayName>Log in with your work account</DisplayName>
<Protocol Name="OpenIdConnect"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
<Item Key="client_id">My ID</Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="IdTokenAudience">My ID</Item>
<Item Key="response_types">id_token</Item>
<Item Key="scope">openid profile</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" />
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="tenant" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
获取与用户帐户关联的电子邮件地址在使用者/个人帐户和组织/工作帐户之间有所不同。
个人账户
参考:Azure Active Directory v2.0 tokens reference
可以在ID令牌中发布与用户帐户关联的电子邮件地址。
1)将“范围”元数据项从“openid profile”更改为“openid profile email”。
<Metadata>
<Item Key="scope">openid profile email</Item>
</Metadata>
2)更改“电子邮件”输出声明:
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
至:
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
工作帐户
必须使用Microsoft Graph API检索与用户帐户关联的电子邮件地址。
1)将“AzureADAccountProfile”技术配置文件从“OpenIdConnect”更改为“OAuth2”,并将元数据项添加到retrieve the profile properties for the signed-in user。
注意:“获取用户”操作不会返回已登录用户的租户标识符,因此以下技术配置文件会从“域”部分创建“identityProvider”声明,该声明是备用安全标识符所必需的。 userPrincipalName“此用户的属性。
<TechnicalProfile Id="AzureADAccountProfile">
<DisplayName>Log in with your work account</DisplayName>
<Protocol Name="OAuth2"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/organizations/oauth2/v2.0/token</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="ClaimsEndpoint">https://graph.microsoft.com/v1.0/me</Item>
<Item Key="client_id"><!-- Enter your client ID --></Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="IdTokenAudience"><!-- Enter your client ID --></Item>
<Item Key="response_types">code</Item>
<Item Key="scope">https://graph.microsoft.com/user.read</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="mail" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="userPrincipalName" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateAzureADIdentityProvider" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
2)创建“CreateAzureADIdentityProvider”声明转换。
<ClaimsTransformation Id="CreateAzureADIdentityProvider" TransformationMethod="ParseDomain">
<InputClaims>
<InputClaim ClaimTypeReferenceId="userPrincipalName" TransformationClaimType="emailAddress" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="domain" />
</OutputClaims>
</ClaimsTransformation>