Azure AD - 添加 onpremisessamaccountname 作为 JWT 令牌中的声明

问题描述 投票:0回答:1

目标是在具有 openid 权限的注册应用程序中添加 user.onpremisessamaccountname 作为 JWT 令牌的声明

完成的步骤:

  1. 如下所示创建 ClaimsMappingPolicy
$NewPolicy = @"
{
     "ClaimsMappingPolicy":  {
        "Version":  1,
        "IncludeBasicClaimSet":  true,
        "ClaimsSchema":  [
            {
                "Source":  "user",
                "ID":  "onpremisessamaccountname","SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
                "JwtClaimType":  "testsamaccountname"
            }
            ]
        }
}
> New-AzureADPolicy -Definition ($NewPolicy) -DisplayName "test_samaccountname_policy" -Type "ClaimsMappingPolicy" -IsOrganizationDefault $false

  1. Add-AzureADServicePrincipalPolicy 到注册的应用程序对象 ID

  2. 在'TEST'注册的应用程序清单中,设置

"acceptMappedClaims": true,

但是我仍然无法从 JWT 令牌中获取“testsamaccountname”或“onpremisessamaccountname”。

请问我缺少什么。

提前致谢^

azure-active-directory jwt openid azure-ad-graph-api
1个回答
1
投票

我注册了一个 Azure AD 应用程序并添加了 

openid
API 权限,如下所示:

enter image description here

现在我在 PowerShell 脚本下运行以创建 claim 映射策略,如下所示:

Connect-AzureAD
New-AzureADPolicy -Definition @('
{
    "ClaimsMappingPolicy":
    {
        "Version":1,"IncludeBasicClaimSet":"true", 
        "ClaimsSchema": [{"Source":"user","ID":"extensionattribute1","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/testsamaccountname","JwtClaimType":"testsamaccountname"}]
    }
}') -DisplayName "test_samaccountname_policy" -Type "ClaimsMappingPolicy"

回复:

enter image description here

注意上面政策的

ID
response并使用以下命令将其分配给您的服务主体:

Add-AzureADServicePrincipalPolicy -Id serviceprincipal_ObjectID -RefObjectId policy_ID

确认策略是否已分配,您可以运行以下命令:

Get-AzureADServicePrincipalPolicy -Id serviceprincipal_ObjectID

回复:

enter image description here

要将 

samaccountname
value 分配给该声明,我在 Graph Explorer 中运行以下查询,如下所示:

PATCH https://graph.microsoft.com/beta/me
{
"onPremisesExtensionAttributes": 
    {
        "extensionAttribute1": "sri"
    }
}

回复:

enter image description here

确保在应用程序的清单中设置

"acceptMappedClaims": true
,如下所示:

enter image description here

现在,我使用以下参数通过 Postman 使用授权代码流生成了 tokens

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:authorization_code
client_id:<appID>
client_secret:<secret>
scope:openid
code:code
redirect_uri: https://jwt.ms

回复:

enter image description here

当我在jwt.ms中解码上面的ID token时,我得到了

testsamaccountname
这样的声明成功:

enter image description here

更新:

为了获得code,我在浏览器中运行授权请求如下:

https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize
?client_id= <appID>
&response_type=code
&redirect_uri= https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

回复:

enter image description here

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.