目标是在具有 openid 权限的注册应用程序中添加 user.onpremisessamaccountname 作为 JWT 令牌的声明
完成的步骤:
$NewPolicy = @"
{
"ClaimsMappingPolicy": {
"Version": 1,
"IncludeBasicClaimSet": true,
"ClaimsSchema": [
{
"Source": "user",
"ID": "onpremisessamaccountname","SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"JwtClaimType": "testsamaccountname"
}
]
}
}
> New-AzureADPolicy -Definition ($NewPolicy) -DisplayName "test_samaccountname_policy" -Type "ClaimsMappingPolicy" -IsOrganizationDefault $false
"acceptMappedClaims": true,
但是我仍然无法从 JWT 令牌中获取“testsamaccountname”或“onpremisessamaccountname”。
请问我缺少什么。
提前致谢^
我注册了一个 Azure AD 应用程序并添加了
openid
API 权限,如下所示:
现在我在 PowerShell 脚本下运行以创建 claim 映射策略,如下所示:
Connect-AzureAD
New-AzureADPolicy -Definition @('
{
"ClaimsMappingPolicy":
{
"Version":1,"IncludeBasicClaimSet":"true",
"ClaimsSchema": [{"Source":"user","ID":"extensionattribute1","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/testsamaccountname","JwtClaimType":"testsamaccountname"}]
}
}') -DisplayName "test_samaccountname_policy" -Type "ClaimsMappingPolicy"
回复:
注意上面政策的
ID
response并使用以下命令将其分配给您的服务主体:
Add-AzureADServicePrincipalPolicy -Id serviceprincipal_ObjectID -RefObjectId policy_ID
要确认策略是否已分配,您可以运行以下命令:
Get-AzureADServicePrincipalPolicy -Id serviceprincipal_ObjectID
回复:
要将
samaccountname
value 分配给该声明,我在 Graph Explorer 中运行以下查询,如下所示:
PATCH https://graph.microsoft.com/beta/me
{
"onPremisesExtensionAttributes":
{
"extensionAttribute1": "sri"
}
}
回复:
确保在应用程序的清单中设置
"acceptMappedClaims": true
,如下所示:
现在,我使用以下参数通过 Postman 使用授权代码流生成了 tokens:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:authorization_code
client_id:<appID>
client_secret:<secret>
scope:openid
code:code
redirect_uri: https://jwt.ms
回复:
当我在jwt.ms中解码上面的ID token时,我得到了
testsamaccountname
这样的声明成功:
更新:
为了获得code,我在浏览器中运行授权请求如下:
https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize
?client_id= <appID>
&response_type=code
&redirect_uri= https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
回复: