不可能沒有調用從BE圖:
這裏是討論:https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/239
如果hasgroups要求在id_token不存在 - 從id_token獲得團體。 如果存在 - 調用在Azure AD 2.0端點圖形
實施例:確實發出安全組隱式流動
using Microsoft.Identity.Client;
...
//Obtaining the Access Token By Id Token...
var redirectUri = "http://localhost";
var authority = @"https://login.microsoftonline.com/common/v2.0";
var clientId = "00000000-0000-0000-0000-000000000000";
var userObjectId = "00000000-0000-0000-0000-000000000000"; //from id_token
var idToken = "ey-- ID Token from the JS Side";
var appKey = "Client Secret here";
var cc = new ClientCredential(appKey);
var cca = new ConfidentialClientApplication(clientId, authority, redirectUri, cc, null, null);
var ua = new UserAssertion(idToken, "urn:ietf:params:oauth:grant-type:jwt-bearer");
var authResult = await cca.AcquireTokenOnBehalfOfAsync(new[] { "User.Read", "Group.Read.All" }, ua); //Make sure - here is one user consented scope (shuld be requested from the FronEnd side) and one - admin consented
var accessToken = authResult.AccessToken;
// And then calling the MS Graph...
var requestUrl = $"https://graph.microsoft.com/v1.0/users/{userObjectId}/getMemberGroups";
// Prepare and Make the POST request
HttpResponseMessage response;
using (var client = new HttpClient())
{
using (var request = new HttpRequestMessage(HttpMethod.Post, requestUrl))
{
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var content = new StringContent("{\"securityEnabledOnly\": \"true\"}");
content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
request.Content = content;
response = await client.SendAsync(request);
}
}
var groupObjectIds = new List<string>();
// Endpoint returns JSON with an array of Group ObjectIDs
if (response.IsSuccessStatusCode)
{
var responseContent = await response.Content.ReadAsStringAsync();
var groupsResult = Json.Decode(responseContent).value;
foreach (string groupObjectId in groupsResult)
groupObjectIds.Add(groupObjectId);
}
return groupObjectIds;
你能在應用程序清單組索賠?爲了避免使用GraphAPI,您如何保證您的用戶永遠不會擁有比標記中允許的最大值更多的組? –
假設這也是你:https://social.msdn.microsoft.com/Forums/en-US/2b49109b-b98a-4b54-b644-43d623a7d36a/azure-ad-jwt-token-is-missing-group-information ?forum = WindowsAzureAD,我看你有。你有沒有看過原始的'id_token'(例如jwt.io等)? –
@PhilippeSignoret是的,那就是我。不知道如果azure從未在令牌中包含這些信息,jwt.io會如何幫助我。此外,我們正在使用服務器上的「passport-azure-ad」來分析和驗證令牌 – LP13