2

Scenario: I'm using Angular 5 for front-end and .NET core 2.0 for back-end, MSAL.js to authenticate against Azure AD B2C in Angular SPA, then use returned id_token as Bearer Token to send requests to WebAPI endpoints.

I have successfully setup multi-tenant Azure AD as a provider in Azure AD B2C (followed the answer here Multi-tenant Azure AD in Azure AD B2C), but in the returned id_token, there's no claim for email address. Note: If I configure single-tenant Azure AD, I get back a claim with type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress for email address, but wasn't able to do so with multi-tenant AD.

I believe the limitation is with Azure AD v2.0 that's been mentioned here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations

Question: How do I retrieve the user's email address after log in.

I followed the guideline in this article https://monteledwards.com/2017/10/18/a-complete-integration-azure-ad-b2c-azure-ad-graph-api-logic-apps/ to add an extra logic app to resolve email from id_token, but my problem is I don't have objectId back either.

Claims I've got back after successful authentication are:

iss - https://login.microsoftonline.com/<My-B2C-Tenant-Id>/v2.0/
exp - ticks
nbf - ticks
aud - My-B2C-App-Id
name - string
http://schemas.microsoft.com/identity/claims/identityprovider - tid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier - My-B2C-App-Id
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - string
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname - string
nonce - GUID
http://schemas.microsoft.com/identity/claims/scope - User.Read
azp - GUID
ver - 1.0
iat - ticks

My technical profile for multi-tenant Azure AD -> Azure AD B2C is:

<TechnicalProfile Id="AzureADAccountProfile">
  <DisplayName>Log in with your work account</DisplayName>
  <Protocol Name="OpenIdConnect"/>
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <Metadata>
    <Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
    <Item Key="client_id">My ID</Item>
    <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="IdTokenAudience">My ID</Item>
    <Item Key="response_types">id_token</Item>
    <Item Key="scope">openid profile</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADSecret"/>
  </CryptographicKeys>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" />
    <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />
    <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
    <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
    <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
    <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
    <OutputClaim ClaimTypeReferenceId="tenant" />
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
    <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
    <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
  </OutputClaimsTransformations>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
4

1 回答 1

2

获取与用户帐户关联的电子邮件地址在消费者/个人帐户和组织/工作帐户之间有所不同。

个人账户

参考:Azure Active Directory v2.0 令牌参考

与用户帐户关联的电子邮件地址可以在 ID 令牌中发出。

1) 将“范围”元数据项从“openid profile”更改为“openid profile email”。

<Metadata>
  <Item Key="scope">openid profile email</Item>
</Metadata>

2)更改“电子邮件”输出声明:

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />

至:

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />

工作帐户

必须使用 Microsoft Graph API 检索与用户帐户关联的电子邮件地址。

1) 将“AzureADAccountProfile”技术配置文件从“OpenIdConnect”更改为“OAuth2”,并添加元数据项以检索登录用户的配置文件属性

注意: “获取用户”操作不会返回已登录用户的租户标识符,因此以下技术配置文件会从“ userPrincipalName”这个用户的属性。

<TechnicalProfile Id="AzureADAccountProfile">
  <DisplayName>Log in with your work account</DisplayName>
  <Protocol Name="OAuth2"/>
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <Metadata>
    <Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/organizations/oauth2/v2.0/token</Item>
    <Item Key="authorization_endpoint">https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize</Item>
    <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
    <Item Key="ClaimsEndpoint">https://graph.microsoft.com/v1.0/me</Item>
    <Item Key="client_id"><!-- Enter your client ID --></Item>
    <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="IdTokenAudience"><!-- Enter your client ID --></Item>
    <Item Key="response_types">code</Item>
    <Item Key="scope">https://graph.microsoft.com/user.read</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADSecret"/>
  </CryptographicKeys>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName" />
    <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="mail" />
    <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
    <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
    <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="id" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="userPrincipalName" />
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CreateAzureADIdentityProvider" />
    <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
    <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
    <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
  </OutputClaimsTransformations>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

2) 创建“CreateAzureADIdentityProvider”声明转换。

<ClaimsTransformation Id="CreateAzureADIdentityProvider" TransformationMethod="ParseDomain">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="userPrincipalName" TransformationClaimType="emailAddress" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="domain" />
  </OutputClaims>
</ClaimsTransformation>
于 2018-02-28T05:01:49.867 回答