Azure AD问题声明安全组名称

Question

我需要Azure AD发出具有安全组名称的声明。 但是JWT令牌中只有组对象 id 。

如何获取安全组名称？

到目前为止，我做了什么： 1.创建一个测试安全组，并为其分配用户。这是该用户的唯一组。

1. 按照此正式文档https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest

中的说明将groupMembershipClaims设置为All（整数7）。

2. 这是应用程序清单的相关部分： ionViewWillEnter()

Answer 1

您无法使用令牌获取它们。如您所见，您仅获得ID。 通常这很好，因为id不能更改，而id可以更改。

如果要基于组进行授权，可以在配置文件中设置ID，然后检查ID。

如果您想为其他目的使用名称，则需要从Microsoft Graph API查询组。 您可以在以下位置找到API文档：https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/groups-overview

Answer 2

You can not receive group display names inside your id_token。

但是您可以查询组属性，例如来自另一个api的组显示名称，在本例中为ms graph api。

这是我通过ms graph api查询组显示名称的方法。

谢谢

/// <summary>
/// Translate group.Id list received on id_token into group.DisplayName list
/// </summary>
/// <param name="groupIdList"></param>
/// <returns></returns>
public override List<string> TranslateGroupNames(List<string> groupIdList)
{
    // validations
    if (groupIdList == null || groupIdList.Count == 0)
        return groupIdList;

    if (string.IsNullOrEmpty(Configuration.ClientID))
        throw new InvalidOperationException("A configuração 'ClientID' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.ClientSecret))
        throw new InvalidOperationException("A configuração 'ClientSecret' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.TokenEndpoint))
        throw new InvalidOperationException("A configuração 'TokenEndpoint' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.TenantID))
        throw new InvalidOperationException("A configuração 'TenantID' não pode ser vazia.");

    // acquire a brand new access_token via client_credentials, especificly to ms graph api
    var clientCredentialsRequest = new ClientCredentialsTokenRequest();
    clientCredentialsRequest.Address = Configuration.TokenEndpoint;
    clientCredentialsRequest.ClientId = Configuration.ClientID;
    clientCredentialsRequest.Scope = "https://graph.microsoft.com/.default";
    clientCredentialsRequest.ClientSecret = Configuration.ClientSecret;

    var accessTokenResponse = _httpClient.RequestClientCredentialsTokenAsync(clientCredentialsRequest).Result;
    if (accessTokenResponse.IsError)
        throw new InvalidOperationException($"Falha ao recuperar AcessToken. {accessTokenResponse.Error}: {accessTokenResponse.ErrorDescription}");

    // set access_token on httpclient
    _httpClient.SetBearerToken(accessTokenResponse.AccessToken);

    var result = new List<string>(groupIdList.Count);

    // query ms graph api to recover group info
    foreach (var groupId in groupIdList)
    {
        var url = $"https://graph.microsoft.com/v1.0/{Configuration.TenantID}/groups/{groupId}";
        var groupResponse = _httpClient.GetAsync(url).Result;
        if (!groupResponse.IsSuccessStatusCode)
            throw new InvalidOperationException($"Falha ao recuperar grupo. {groupResponse.ReasonPhrase}");

        var jsonString = groupResponse.Content.ReadAsStringAsync().Result;
        var group = JsonConvert.DeserializeObject<dynamic>(jsonString);
        if (group?.displayName?.Value == null)
            throw new InvalidOperationException($"Grupo inválido");

        // get group display name
        result.Add(group.displayName.Value);
    }

    return result;
}

Answer 3

您可以通过令牌配置获取AD组名称。默认情况下，它是返回组ID，但您可以将其更改为sAMAccountName。