Azure AD-令牌中缺少角色声明

更新时间：2022-10-18 14:59:01

令牌是令牌的访问不是用于您的应用。您要查找的角色应该在id令牌中。

我之所以这么说是因为观众是00000002-0000-0000-c000-000000000000，是内置的API（尽管无法回忆起哪个）。

I've set up authentication through Azure Active Directory (AAD) and everything works fine (I receive my access and refresh tokens).

I've read about app roles and I would like to use them (for simplicity, let's assume I want to have Admin and User roles). I've followed the official documentation (which is missing the last part ..) here.

Unfortunately, the tokens don't contain the 'roles' claim.

Here is my setup in more detail:

1) I have Azure AD app called TestAuthApp and I added roles to the manifest

2) I assigned the roles

3) This is the url for login: https://login.microsoftonline.com/3926f5f4-ca60-46de-b9f8-72639d55232d/oauth2/authorize?client_id=fea5d169-5535-4a8c-ba61-bcb0b25129dd&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A1338%2Fauth

4) And this is the node.js code which handles the auth code and receives the tokens

5) Example of a returned access token for Test Joe (when you check it in jwt.io you see that roles claim is not present) eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyIsImtpZCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8zOTI2ZjVmNC1jYTYwLTQ2ZGUtYjlmOC03MjYzOWQ1NTIzMmQvIiwiaWF0IjoxNTcxMjMxNjQwLCJuYmYiOjE1NzEyMzE2NDAsImV4cCI6MTU3MTIzNTU0MCwiYWNyIjoiMSIsImFpbyI6IjQyVmdZT0F5czRzdGFOclB0MFNtWUNOZllxamtuczNMcnpYLzhacTY1NjRXaTBuVXdwMEEiLCJhbXIiOlsicHdkIl0sImFwcGlkIjoiZmVhNWQxNjktNTUzNS00YThjLWJhNjEtYmNiMGIyNTEyOWRkIiwiYXBwaWRhY3IiOiIxIiwiaXBhZGRyIjoiOTQuMjMwLjE1MC40IiwibmFtZSI6IlRlc3QgSm9lIiwib2lkIjoiZDU3YjZlNjAtNzVhMC00ODM4LTllYmMtZWM1MzRkYjAyMTM0IiwicHVpZCI6IjEwMDMyMDAwNDhGOEMwNEQiLCJzY3AiOiJVc2VyLlJlYWQiLCJzdWIiOiJURllOclNGT01EcU5kRnBaY25YeGdoRm1GR2IteHFZN3Y2bDh6R1lhRGg4IiwidGVuYW50X3JlZ2lvbl9zY29wZSI6Ik5BIiwidGlkIjoiMzkyNmY1ZjQtY2E2MC00NmRlLWI5ZjgtNzI2MzlkNTUyMzJkIiwidW5pcXVlX25hbWUiOiJ0ZXN0am9lQHNlY3VyaXR5cG9jMTIzNC5vbm1pY3Jvc29mdC5jb20iLCJ1cG4iOiJ0ZXN0am9lQHNlY3VyaXR5cG9jMTIzNC5vbm1pY3Jvc29mdC5jb20iLCJ1dGkiOiJHQUJCYy1TaTBVbXZMMzVBRXk4V0FBIiwidmVyIjoiMS4wIn0.Z8gydgRzEqk9dZ_fxt67iZMwVqu708WrZWJf3_9ydgc9cV0HizECxXxeNuws6EtiQhLxnguOVYKq7s5R2V4AlquAnc75YaMn0mWhZXGEtuVT6T6tldy5GgrbDpJy9eU5Ismo5ppfkcGRkUoJ0lScHeXic1gQ_M_k44e-QXJtMMxr6JdPA9jqixuCMK-84TdbYC1RlJYM47PJfYttWoibI29XsoUU-0ucwcCB8hshZfQRU48LrTlCwmtB-p9rim6E7xLmBxaXMBo99N9AizGJj9jV-rr_bPGXpq8_CQsiF07cKJ51SWe8dbMpCwybKYVVoMc3rsazylKcJzxDp1rD4A

The token is an access token that is not for your app. The roles you are looking for should be in the id token.

The reason why I say that is because the audience is 00000002-0000-0000-c000-000000000000, which is a built-in API (can't recall which one though).

上一篇 : ：有没有办法使用 JWT 和 Azure AD 令牌来授权 Net Core 3.0 API下一篇 : C# params 关键字有两个相同类型的参数

Azure AD-令牌中缺少角色声明

相关阅读

技术问答最新文章