Azure AD“组”声明未传递到mod_auth_openidc

Question

我创建了一个Azure AD帐户来测试SSO。我能够让Apache使用SSO对站点进行身份验证，并将经过身份验证的用户的电子邮件地址作为标头进行传递。我很难让“组”声明通过。

我的Apache配置如下所示：

LoadModule auth_openidc_module /usr/lib64/httpd/modules/mod_auth_openidc.so

<IfModule mod_auth_openidc.c>
    OIDCProviderMetadataURL https://sts.windows.net/<removed>/.well-known/openid-configuration

    OIDCClientID <removed>
    OIDCClientSecret <removed>

    OIDCRedirectURI https://<removed>/redirect_uri
    OIDCResponseType code

    OIDCScope "openid email profile groups family_name given_name"
    OIDCSSLValidateServer Off

    OIDCCryptoPassphrase <removed>

    OIDCPassClaimsAs headers
    OIDCClaimPrefix USERINFO_

    OIDCRemoteUserClaim email
    OIDCPassUserInfoAs claims
    OIDCAuthNHeader USER

    OIDCPassIDTokenAs claims
    OIDCPassRefreshToken On
</IfModule>

我在Azure AD中的可选声明如下所示：

​

​

此外，我在AD中创建了一个名为"Users“的组，并将自己添加到该组中。因此，我希望看到"Users“作为某种属性在头部中传递。

如果我在服务器上打印HTTP标头，我会看到以下内容...

CONTEXT_DOCUMENT_ROOT: /var/httpd/cgi-bin/
CONTEXT_PREFIX: /cgi-bin/
DOCUMENT_ROOT: /var/SP/httpd/htdocs/docs
GATEWAY_INTERFACE: CGI/1.1
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
HTTP_ACCEPT_ENCODING: gzip, deflate, br
HTTP_ACCEPT_LANGUAGE: en-GB,en-US;q=0.9,en;q=0.8
HTTP_CACHE_CONTROL: max-age=0
HTTP_COOKIE: _ga=GA1.2.601634409.1596125029; mod_auth_openidc_session=c186c9d6-eebe-11ea-8429-7982f43b32a7
HTTP_HOST: <removed>
HTTP_SEC_FETCH_DEST: document
HTTP_SEC_FETCH_MODE: navigate
HTTP_SEC_FETCH_SITE: none
HTTP_SEC_FETCH_USER: ?1
HTTP_UPGRADE_INSECURE_REQUESTS: 1
HTTP_USER: <removed>
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
HTTP_X_AMZN_TRACE_ID: Root=1-5f52559a-6b8b464ec338a6097565fce0
HTTP_X_FORWARDED_FOR: <removed>
HTTP_X_FORWARDED_PORT: 443
HTTP_X_FORWARDED_PROTO: https
LD_LIBRARY_PATH: /opt/apache-2.4/lib64
PATH: /sbin:/usr/sbin:/bin:/usr/bin
QUERY_STRING:
REMOTE_ADDR: <removed>
REMOTE_PORT: 45364
REMOTE_USER: <removed>
REQUEST_METHOD: GET
REQUEST_SCHEME: http
REQUEST_URI: /cgi-bin/headers.cgi
SCRIPT_FILENAME: /var/httpd/cgi-bin/headers.cgi
SCRIPT_NAME: /cgi-bin/headers.cgi
SCRIPT_URI: http://<removed>/cgi-bin/headers.cgi
SCRIPT_URL: /cgi-bin/headers.cgi
SERVER_ADDR: <removed>
SERVER_ADMIN: <removed>
SERVER_NAME: <removed>
SERVER_PORT: 80
SERVER_PROTOCOL: HTTP/1.1
SERVER_SIGNATURE:
SERVER_SOFTWARE: Apache/2.4.46 (Unix) OpenSSL/1.1.1c
X_REMOTE_USER: <removed>

REMOTE_USER、X_REMOTE_USER和HTTP_USER都会显示正确的经过身份验证的用户电子邮件。

我没有看到任何与"groups"，"USERINFO_"，"family_name"，"given_name“相关的东西。甚至连空白占位符都没有。

我有点卡住了，因为据我所知，Apache配置看起来还不错，而且从我读到的内容来看，Azure配置也没问题。

你知道为什么索赔没有通过吗？

Answer 1

我改变了：

OIDCPassClaimsAs headers

至：

OIDCPassClaimsAs both

..。它成功了！