英文:
Can you find the oid and sub values for an Active Directory oAuth user from within AD?
问题
我正在将我的网络应用程序与Azure AD通过OpenId集成。用户权限由我的应用程序控制。因此,我需要将我在访问令牌中收到的 oid 或 sub 映射到我的应用程序数据库上的记录,以便我能够了解用户的权限。我打算有一个前端,允许非技术系统管理员在收到访问请求时执行此操作。
是否有一种方法,无需执行和记录oAuth交易,系统管理员就能知道用户在登录时可能获得的 sub 和/或 oid,以便他们可以构建所需的权限条目?
如果没有,我假设我需要在服务器收到访问令牌后执行用户信息调用(因为AD上确实存在令牌内省),以检索不同且更可见的AD属性。然后,我的应用程序将使用此属性而不是 oid 或 sub 作为键来设置权限记录。我的系统管理员可以使用这个更广为人知的字段来设置用户权限。
英文:
I am integrating my web application with Azure AD via OpenId. User privileges are controlled by my application. I therefore need to map the oid or sub I receive in my access token to a record on my application database that I can use to understand a user's permissions. I intended having a front end that would allow non-technical system administrators to do this as they receive requests for access.
Is there a way, without performing and logging an oAuth transaction that systems administrators could use to know the likely sub and/or oid that a user will be given at login, so that they could build the required permissions entry?
If not, I am assuming that I will need to perform a userinfo call on receipt of the access token in the server (as token introspection does exist on AD) to retrieve a different and more visible AD property. My application would then key permission records using this property and not oid or sub. My system administrators could set up user permissions using this more widely known field.
答案1
得分: 0
oid是用户的对象标识符,在MS Graph API中以id属性的形式提供。在Azure Portal中,它被称为对象标识符。
sub声明除了发给应用程序的令牌外,在任何地方都不可用。
对于不同的应用程序,同一用户的sub值也会不同。
英文:
oid is the Object ID for the user, which is available through MS Graph API as the id property. In Azure Portal it's called object ID.
The sub claim is not available anywhere except the tokens issued to the application.
The same user would have different sub values for different applications as well.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论