问题描述
我正在使用PKCE进行身份验证代码流,并且我的身份提供者是Azure Active目录.我创建了一个App,"client-app"来自App Registrations.在清单中,我添加了如下的appRoles.
I am following Authentication code flow with PKCE and my Identity provider is Azure Active directory.I have created a App , "client-app" from App Registrations. In the manifest I have added appRoles like the following.
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "StoreGroupManager",
"id": "47fbb575-859a-4941-89c9-0f7a6c30beac",
"isEnabled": true,
"description": "Consumer apps have access to the consumer data.",
"value": "StoreGroupManager"
}
]
我正在将此角色StoreGroupManager分配给Users.现在,当我遵循PKCE的授权代码流并获取id_token,刷新令牌和access_token时.我可以看到id_token有一个声明角色,但没有access_token.我需要在access_token中声明角色.可以吗?以下是已解码的id_token .
I am assigning this role StoreGroupManager to Users. Now when I follow Authorization code flow with PKCE and obtain the id_token , refresh token and access_token. I can see that the id_token has a claim roles but not the access_token.I need to have roles claim claim in the access_token. Can this be possible?The following is the decoded id_token.
推荐答案
如果访问令牌所针对的API的应用程序注册定义了这些角色并将其分配给用户,则角色将位于访问令牌中.因此,如果您为客户端和API使用相同的应用程序注册,则它们应该在那里.但是,如果您分别为客户端和API注册了应用程序,则需要在两个应用程序中定义角色,并在两个应用程序中同时为用户分配角色.
Roles will be in the access token if the app registration for the API that the access token is for defines those roles and they are assigned to the user.So if you use the same app registration for the client and API, they should be there.But if you have separate app registrations for the client and API, you will need to define the role in both apps and assign the user to it on both of them as well.
这篇关于如何在access_token中添加角色声明,当前它在id_token中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!