我们当前的 b2c 自定义策略扩展属性(我们存储权限的位置)限制为 255 个字符。因此,我们达到了权限限制,我们需要通过 Azure B2C 自定义策略公开 AAD 组成员身份。我们如何定义自定义声明以在令牌中公开当前用户的组成员身份?
问问题
54 次
1 回答
0
要么使用此示例,它将以更好的格式在令牌中显示组,但需要您必须托管的 API。
或者直接从自定义策略调用 MS Graph,如下所示:
- 从 AAD 获取具有
user.read范围的令牌:
https ://docs.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api#using-oauth2-bearer
<TechnicalProfile Id="SecureREST-AccessToken">
<DisplayName></DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://login.microsoftonline.com/your-tenant-name.onmicrosoft.com/oauth2/v2.0/token</Item>
<Item Key="AuthenticationType">Basic</Item>
<Item Key="SendClaimsIn">Form</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_SecureRESTClientId" />
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_SecureRESTClientSecret" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="user.read" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
- 然后调用 MS Graph:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange
https://docs.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile#metadata
<TechnicalProfile Id="REST-GetGroupsFromMSGraph">
<DisplayName>revoke my refresh token</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">"https://graph.microsoft.com/beta/users/{objectId}/memberOf?$select=id"</Item>
<Item Key="AuthenticationType">Bearer</Item>
<Item Key="UseClaimAsBearerToken">bearerToken</Item>
<Item Key="SendClaimsIn">Url</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="bearerToken"/>
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="groupsPayload" PartnerClaimType="value" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
声明groupsPayload将包含以下值: [ { "@odata.type": "#microsoft.graph.group", "id": "34af9ff3-ebfc-4bfb-9417-a86f5f499845" }, { "@odata.type": “#microsoft.graph.group”,“id”:“7485108c-7715-49af-a296-ee1f7295958d”}]
并且令牌将具有声明,包括转义字符,如下所示:
"groupsPayload": [ "{ \"@odata.type\": \"#microsoft.graph.group\"", " \"id\": \"e06f5fd8-aee1-4e14-a692-dcde772c1465\" }" ],
于 2022-02-02T11:27:28.383 回答