Azure ad b2c 正在Azure B2C中获取刷新令牌,Azure AD App是第三方IDP
我们有一个Web应用程序,用户通过Azure B2C进行身份验证。我们添加了一个Azure广告应用程序作为索赔提供商。因此,我们的用户应该能够通过本地帐户和Azure AD帐户登录。对于那些通过Azure AD App登录的用户,我们希望获得访问和刷新令牌,以便能够调用Microsoft Graph。获取访问令牌可以工作,但不会发送刷新令牌 这是自定义策略TrustFrameworkExtensions.xml:Azure ad b2c 正在Azure B2C中获取刷新令牌,Azure AD App是第三方IDP,azure-ad-b2c,openid-connect,azure-ad-b2c-custom-policy,Azure Ad B2c,Openid Connect,Azure Ad B2c Custom Policy,我们有一个Web应用程序,用户通过Azure B2C进行身份验证。我们添加了一个Azure广告应用程序作为索赔提供商。因此,我们的用户应该能够通过本地帐户和Azure AD帐户登录。对于那些通过Azure AD App登录的用户,我们希望获得访问和刷新令牌,以便能够调用Microsoft Graph。获取访问令牌可以工作,但不会发送刷新令牌 这是自定义策略TrustFrameworkExtensions.xml: <ClaimsProvider> <Domain>az
<ClaimsProvider>
<Domain>azuread</Domain>
<DisplayName>azure AD app</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AADCommon-OpenIdConnect">
<DisplayName>Azure AD</DisplayName>
<Description>Login with your Azure AD account</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration</Item>
<Item Key="client_id">CLIENT-ID</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid profile offline_access</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_azureadappkey"/>
</CryptographicKeys>
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
<OutputClaim ClaimTypeReferenceId="identityProviderRefreshToken" PartnerClaimType="{oauth2:refresh_token}"/>
</OutputClaims>
<OutputClaimsTransformations>
...
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
蓝精灵
azure广告应用程序
Azure广告
使用Azure AD帐户登录
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
客户端ID
代码
openid配置文件脱机访问
表格邮政
邮递
假的
真的
https://login.microsoftonline.com/
...
...
signup_sign.xml如下所示:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="idp_access_token"/>
<OutputClaim ClaimTypeReferenceId="identityProviderRefreshToken" PartnerClaimType="idp_refresh_token"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
保单简介
在用户的权利要求中,在idp\u access\u token
中存在接入令牌,但是对于idp\u refresh\u token
没有
我还需要更改什么才能获得刷新令牌?我去年查看了这个,但这是不可能的,因为只返回了访问令牌
结果表明,您需要将技术配置文件的协议从“OpenIdConnect”切换到“OAuth2”,并自己指定各个端点:
<TechnicalProfile Id="AADCommon-OpenIdConnect">
<DisplayName>Company Azure AD</DisplayName>
<Description>Login with your Company Azure AD</Description>
<Protocol Name="OAuth2"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/common/oauth2/v2.0/token</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
<Item Key="ClaimsEndpoint">https://graph.microsoft.com/v1.0/me</Item>
<Item Key="ClaimsEndpointAccessTokenName">access_token</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="client_id">CLIENT-ID</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="scope">offline_access openid</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_azureadappkey"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="surname" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" DefaultValue="azuread" />
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
<OutputClaim ClaimTypeReferenceId="identityProviderRefreshToken" PartnerClaimType="{oauth2:refresh_token}"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
Azure广告公司
登录你的公司Azure广告
JWT
https://login.microsoftonline.com/common/oauth2/v2.0/token
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://graph.microsoft.com/v1.0/me
访问令牌
授权标头
客户端ID
邮递
脱机访问openid
0
这样,刷新令牌就会出现在用户的声明中: