Azure API Management - Scope Claim NULL

五迷三道 提交于 2020-01-14 03:12:33

问题


I have a question regarding the SCP claim after using Azure to register an API that I've developed. I've followed various tutorials and sample applications. Everything validates correctly and I'm able to call a API Method from a trusted subsystem using primarily this tutorial: https://github.com/AzureADSamples/WebApp-WebAPI-OAuth2-AppIdentity-DotNet

The problem that I'm having is when I try to validate the SCP claim:

Claim scopeClaim = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/scope");

The scopeClaim value is always null. I do see over claims within the ClaimsPrincipal.Current object but not the Scope. My understanding is that if I download the manifest and upload it with the application permission included it will be available within the API to verify if the calling application has the correct Scope. Below is my application manifest (appPermissions only):

"appPermissions": [
    {
      "claimValue": "access.fullaccess",
      "description": "Allow the application full access to the service on behalf of the signed-in user",
      "directAccessGrantTypes": [],
      "displayName": "Have full access to the service",
      "impersonationAccessGrantTypes": [
        {
          "impersonated": "User",
          "impersonator": "Application"
        }
      ],
      "isDisabled": false,
      "origin": "Application",
      "permissionId": "52966341-1bb5-4e9f-b4f6-46aad4d03b33",
      "resourceScopeType": "Personal",
      "userConsentDescription": "Allow the application full access to the service on your behalf",
      "userConsentDisplayName": "Have full access to the service"
    }
  ]

Update

So upon further playing around and creating multiple appPermissions for the API and allowing the client Web Application to choose multiple "Scopes" the JWT returned does not contain any of the Scope Claims. Is there something that I'm missing or not doing correctly?


回答1:


The claims you get back in the JWT Token depends on the OAuth flow you are using, and on the permissions you have defined.

When using Azure AD to implement OAuth, you will always need (at least) two applications registered with Azure AD: One API Provider, and one or more API Consumers. Depending on which Flow you are implementing, you will also need Users to go with that.

Let's pick the simplest case first: The Client Credentials Flow. In the CC Flow, you don't have any users involved, and the only permissions which are important are the Application Permissions. Now, and this is a little tricky, those aren't reflected in the JWT Token as scp claims, but rather as a roles containing the appRoles (see documentation) of the Consumer Application. These "App Roles" need to be defined, just like the appPermissions, in the manifest of the API providing application.

Only if you use a Flow which also contains a User, like the Authorization Code Grant or the Resource Owner Password Grant, you will see the scp claims in your token, if you have defined the corresponding permissions using the AD interface.



来源:https://stackoverflow.com/questions/26497365/azure-api-management-scope-claim-null

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!