如何获取自定义 Azure AD B2C 用户配置文件属性的值
How to get values of custom Azure AD B2C user profiles properties
我有一个 Azure AD B2C 租户和应用程序,其中启用了使用 Facebook、其他 AAD 和本地帐户的身份验证。 B2C 中的用户有一些自定义字段,这些字段在注册时填充并用作 JWT 令牌中的声明。
但我无法在 Azure 门户中的任何地方看到此字段值,也无法使用 Microsoft Graph API。
它们存储在哪里以及如何访问它们?
您可以通过将自定义声明包含在发送到应用程序的令牌中或通过查询 Azure AD Graph API(目前还不是 Microsoft Graph)来访问自定义声明。
- 在令牌中包含自定义声明:在 Azure 门户的 B2C blade、select 您正在使用的策略中,单击“编辑”、“应用程序声明”和 select 自定义属性。 Full documentation
- 查询Azure AD GraphAPI:注册一个Azure AD应用程序,查询Azure AD GraphAPI。 Full documentation
这是#2
的一些 C# 代码
// The client_id, client_secret, and tenant are pulled in from the App.config file
var clientId = "YOUR_CLIENT_ID";
var clientSecret = "YOUR_CLIENT_SECRET";
var tenant = "yourtenant.onmicrosoft.com";
var userObjectID = "OID_OF_THE_USER"
var query = "/users/" + userObjectId
this.authContext = new AuthenticationContext("https://login.microsoftonline.com/" + tenant);
// The ClientCredential is where you pass in your client_id and client_secret, which are
// provided to Azure AD in order to receive an access_token using the app's identity.
this.credential = new ClientCredential(clientId, clientSecret);
// First, use ADAL to acquire a token using the app's identity (the credential)
// The first parameter is the resource we want an access_token for; in this case, the Graph API.
AuthenticationResult result = authContext.AcquireToken("https://graph.windows.net", credential);
// For B2C user managment, be sure to use the Azure AD Graph API for now.
HttpClient http = new HttpClient();
string url = "https://graph.windows.net/" + tenant + api + "?" + Globals.aadGraphVersion;
url += "&" + query;
// Append the access token for the Graph API to the Authorization header of the request, using the Bearer scheme.
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, url);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await http.SendAsync(request);
if (!response.IsSuccessStatusCode)
{
string error = await response.Content.ReadAsStringAsync();
object formatted = JsonConvert.DeserializeObject(error);
throw new WebException("Error Calling the Graph API: \n" + JsonConvert.SerializeObject(formatted, Formatting.Indented));
}
return await response.Content.ReadAsStringAsync();
请参阅本指南以在您的 JWT 中包含自定义 claims/attributes:Use custom attributes to collect information about your consumers
请参阅本指南:Use the Azure AD Graph API and sample app 通过 Azure AD Graph 查看自定义声明 API。
在图中 API 他们将返回:extension_[GUID]_[ClaimName]
我有一个 Azure AD B2C 租户和应用程序,其中启用了使用 Facebook、其他 AAD 和本地帐户的身份验证。 B2C 中的用户有一些自定义字段,这些字段在注册时填充并用作 JWT 令牌中的声明。
但我无法在 Azure 门户中的任何地方看到此字段值,也无法使用 Microsoft Graph API。
它们存储在哪里以及如何访问它们?
您可以通过将自定义声明包含在发送到应用程序的令牌中或通过查询 Azure AD Graph API(目前还不是 Microsoft Graph)来访问自定义声明。
- 在令牌中包含自定义声明:在 Azure 门户的 B2C blade、select 您正在使用的策略中,单击“编辑”、“应用程序声明”和 select 自定义属性。 Full documentation
- 查询Azure AD GraphAPI:注册一个Azure AD应用程序,查询Azure AD GraphAPI。 Full documentation
这是#2
的一些 C# 代码// The client_id, client_secret, and tenant are pulled in from the App.config file
var clientId = "YOUR_CLIENT_ID";
var clientSecret = "YOUR_CLIENT_SECRET";
var tenant = "yourtenant.onmicrosoft.com";
var userObjectID = "OID_OF_THE_USER"
var query = "/users/" + userObjectId
this.authContext = new AuthenticationContext("https://login.microsoftonline.com/" + tenant);
// The ClientCredential is where you pass in your client_id and client_secret, which are
// provided to Azure AD in order to receive an access_token using the app's identity.
this.credential = new ClientCredential(clientId, clientSecret);
// First, use ADAL to acquire a token using the app's identity (the credential)
// The first parameter is the resource we want an access_token for; in this case, the Graph API.
AuthenticationResult result = authContext.AcquireToken("https://graph.windows.net", credential);
// For B2C user managment, be sure to use the Azure AD Graph API for now.
HttpClient http = new HttpClient();
string url = "https://graph.windows.net/" + tenant + api + "?" + Globals.aadGraphVersion;
url += "&" + query;
// Append the access token for the Graph API to the Authorization header of the request, using the Bearer scheme.
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, url);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await http.SendAsync(request);
if (!response.IsSuccessStatusCode)
{
string error = await response.Content.ReadAsStringAsync();
object formatted = JsonConvert.DeserializeObject(error);
throw new WebException("Error Calling the Graph API: \n" + JsonConvert.SerializeObject(formatted, Formatting.Indented));
}
return await response.Content.ReadAsStringAsync();
请参阅本指南以在您的 JWT 中包含自定义 claims/attributes:Use custom attributes to collect information about your consumers
请参阅本指南:Use the Azure AD Graph API and sample app 通过 Azure AD Graph 查看自定义声明 API。
在图中 API 他们将返回:extension_[GUID]_[ClaimName]