问题
I have set up a project like the following example from Microsoft where I have a native application requesting access to a web api using the v2.0 endpoint: https://github.com/azureadquickstarts/appmodelv2-nativeclient-dotnet
I have managed to sign in successfully to AAD by using an account registered in that AAD and not a Microsoft account. I do receive a claim, however the claim does not contain neither a upn nor an email. I am using jwt.ms to analyse the claim and this is the info I am receiving from the claim:
{
"typ": "JWT",
"alg": "RS256",
"kid": "1LTMzakihiRla_8z2BEJVXeWMqo"
}.{
"aud": "Client ID/ App ID",
"iss": "https://login.microsoftonline.com/tenantid/v2.0",
"iat": 1534758037,
"nbf": 1534758037,
"exp": 1534761937,
"aio": "ATQAy/8IAAAA+PZj+5vnrUwDfqTTKNBDcy0Tl7rOztkxzrb9YWXHVlevKwrlsGBP/gYAvL4bwr2G",
"azp": "Client ID/ App ID",
"azpacr": "0",
"e_exp": 262800,
"name": "xxx yyy",
"oid": "9cc37e1d-0490-4cf4-9bb8-c872899dee91",
"preferred_username": "test@tenantname.onmicrosoft.com",
"scp": "access_as_user",
"sub": "2l0nasrd8QbBpiEu1RGLFCavj3SzTzizIgmKAiMbdU0",
"tid": "tenantid",
"uti": "HG2cIi_MGUyBxBl6MzFPAA",
"ver": "2.0"
}.[Signature]
I can't figure out why I am not getting the UPN in the claim. I would really appreciate any help!
回答1:
You need to make a request explicitly for UPN and Email. In v1.0 endpoint they are returned by default but because v2.0 wanted smaller tokens, they have made it optional. Go through the following links and hopefully your problem will be solved. Why you have to request for UPN and email claims https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims How to add optional claims in application manifest https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
回答2:
You need to make sure you are also requesting the openid and the profile scopes.
Information on what scopes give what information in the individual claims can be found in the documentation here with some basic overview info here
I downloaded the sample you referenced. In the App.config file, I changed the scope key to /access_as_user openid profile email" /> and ran it the code. This results in getting the preferred_username claim - "The primary username that represents the user in the v2.0 endpoint. It could be an email address, phone number, or a generic username without a specified format. Its value is mutable and might change over time. The profile scope is required in order to receive this claim."
The openid, profile and email scopes are part of the well-known scopes in the V2 endpoints, discussed in the Azure AD developer's documentation. To view those well-known scopes you can go to the URL:
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
Where {tenant} can be replaced with
common = Users with both a personal Microsoft account and a work or school account from Azure Active Directory (Azure AD) can sign in to the application.
organizations = Only users with work or school accounts from Azure AD can sign in to the application.
consumers = Only users with a personal Microsoft account can sign in to the application.
tenantGUID or tenantName = (your specific Azure AD tenant id or name - i.e. contoso.onmicrosoft.com) users of a single tenant can access the application. Either the friendly domain name of the Azure AD tenant or the tenant's GUID identifier can be used.
Going to the https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration URL you will get JSON that shows those scopes available there under the scopes_supported section:
"scopes_supported":
[
"openid",
"profile",
"email",
"offline_access"
],
Those four scopes are special scopes to the v2 endpoint and therefore when you request them, you do not need to see what application or service principal those scopes are accessing. They are global in a way to the v2 endpoint, hence when you request them, you request them as openid profile email offline_access no application identifier should be used for those scopes.
来源:https://stackoverflow.com/questions/51928314/missing-upn-in-claim-using-v2-0-endpoint