I'm trying to add custom attributes to a custom policy. However it generates this error 'Unable to validate the information provided.'
I followed the documentation of the links below, I have already added application id b2c-extensions-app and object too.
https://learn.microsoft.com/pt-br/azure/active-directory-b2c/custom-policy-custom-attributes
https://learn.microsoft.com/pt-br/azure/active-directory-b2c/configure-user-input?pivots=b2c-custom-policy
Error log message "Error returned was 400/Request_BadRequest: The following extension properties are not available: extension_f41be....._tipoUsuario."
Part of the code in my TrustFrameworkExtensions file, where it writes and retrieves the information in AD:
<ClaimsProvider>
<DisplayName>Azure Active Directory</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AAD-Common">
<Metadata>
<!--Insert b2c-extensions-app application ID here, for example: 11111111-1111-1111-1111-111111111111-->
<Item Key="5bfd........"></Item>
<!--Insert b2c-extensions-app application ObjectId here, for example: 22222222-2222-2222-2222-222222222222-->
<Item Key="18bd6......."></Item>
</Metadata>
</TechnicalProfile>
<TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
<Metadata>
<Item Key="client_id">f41be......</Item>
<!--Insert b2c-extensions-app application ID here, for example: 11111111-1111-1111-1111-111111111111-->
</Metadata>
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="extension_tipoUsuario"/>
</PersistedClaims>
</TechnicalProfile>
<!-- Write data during edit profile flow. -->
<TechnicalProfile Id="AAD-UserWriteProfileUsingObjectId">
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="extension_tipoUsuario"/>
</PersistedClaims>
</TechnicalProfile>
<!-- Read data after user authenticates with a local account. -->
<TechnicalProfile Id="AAD-UserReadUsingEmailAddress">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_tipoUsuario" />
</OutputClaims>
</TechnicalProfile>
<!-- Read data after user authenticates with a federated account. -->
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_tipoUsuario" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
One of the common root causes to this problem is misconfiguration of client ID metadata of B2C Extension App.
Make sure the tutorial here is followed.
Related
We have a simple B2C user journey where the user authenticates via a 3rd party SAML Identity Provider and then does an api call to an external system based on the attributes received from the IdP. After completing the user journey the user should be logged out from the IdP. The IdP instructs that this should be done by sending a SAML LogoutRequest which includes the service provider EntityID and IssueInstant (timestamp), as well as the NameID and SessionIndex from the SAML Response. The IdP then returns a LogoutResponse.
The IdP metadata also includes a SingleLogoutService url with bindings for HTTP-POST and HTTP-Redirect.
How can we send the LogoutRequest from B2C to the IdP? The preferable way would be to launch the LogoutRequest directly from the B2C user journey. If this is not possible, we can also send the LogoutRequest from our application. To achieve this, B2C should be able to collect the SessionIndex as a claim from the SAML Response.
However, according to the B2C documentation, only attributes from the AttributeStatement of the SAML Response can be collected as output claims. The SessionIndex is included in the AuthnStatement of the SAML Response:
<saml2:AuthnStatement AuthnInstant="2023-02-14T14:40:02.726Z" SessionIndex="_5fb496b49e1b00b902e63ed857c4fdea">
My SAML IdP technical profile and session management profile are as follows:
<TechnicalProfile Id="SAML2-IdP">
<DisplayName>SAML IdP</DisplayName>
<Description>SAML IdP</Description>
<Protocol Name="SAML2"/>
<Metadata>
<Item Key="PartnerEntity">https://.../metadata.xml</Item>
<Item Key="WantsSignedRequests">true</Item>
<Item Key="XmlSignatureAlgorithm">Sha256</Item>
<Item Key="WantsEncryptedAssertions">true</Item>
<Item Key="ResponsesSigned">false</Item>
<Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
<Item Key="SingleLogoutEnabled">true</Item>
</Metadata>
<CryptographicKeys>
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSecret"/>
<Key Id="SamlAssertionDecryption" StorageReferenceId="B2C_1A_SAMLSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="userId" PartnerClaimType="userId" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
...
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp"/>
</TechnicalProfile>
<ClaimsProvider>
<DisplayName>Session Management</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SM-Saml-idp">
<DisplayName>Session Management Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="IncludeSessionIndex">false</Item>
<Item Key="RegisterServiceProviders">false</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
I have also tried setting IncludeSessionIndex and RegisterServiceProviders to “true” but this didn't seem to change anything.
Is there a way to extract the SessionIndex in order to build the payload for SAML LogoutRequest or even better, can we somehow trigger B2C to always launch the LogoutRequest at the end of the journey, based on the data it received from the SAML Payload, and the IdP metadata?
I have following the tutorial
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant?pivots=b2c-user-flow
I have a button showing up and it looks like it works but when I login with a work account I get
Selected user account does not exist in tenant 'Default Directory' and
cannot access the application '' in that tenant. The account needs to
be added as an external user in the tenant first. Please use a
different account.
It seems to work with a gmail account but not another tenant's account.
My question is how do I get it to work with another tenants account
Here are my 3 custom xml files
https://easyupload.io/m/w0gxlj
I tried to reproduce the same in my environment and got the same error as below:
To resolve the error, please try the below:
I created an Azure AD Application and configured redirect URI:
Now, I created a Policy Key like below:
To configure Azure AD as Identity Provider, I added the ClaimsProvider in the TrustFrameworkExtensions.xml file like below:
<ClaimsProvider>
<Domain>testaadb2c01</Domain>
<DisplayName>Common AAD</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AADCommon-OpenIdConnect">
<DisplayName>Common AAD</DisplayName>
<Description>Login with your Contoso account</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">https://login.microsoftonline.com/testaadb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration</Item>
<!-- Update the Client ID below to the Application ID -->
<Item Key="client_id">CLIENTID</Item>
<Item Key="response_types">id_token</Item>
<Item Key="scope">openid profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AADAppSecret"/>
</CryptographicKeys>
<OutputClaims>
------
</OutputClaims>
<OutputClaimsTransformations>
------
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Azure Active Directory</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AAD-Common">
<DisplayName>Azure Active Directory</DisplayName>
<Metadata>
<Item Key="ApplicationObjectId">OBJECTID</Item>
<Item Key="ClientId">CLIENTID</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Local Account SignIn</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="login-NonInteractive">
<Metadata>
<Item Key="client_id">CLIENTID</Item>
<Item Key="IdTokenAudience">AUDIENCE</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="XXXXXX"/>
<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="XXXXXX"/>
</InputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
When I run the custom Policy, I got the login screen successfully like below:
When I tried to login with AzureAD User account, I am able to sign-in successfully like below:
I am trying to integrate this policy to my policy:
https://github.com/azure-ad-b2c/samples/blob/master/policies/force-password-reset-after-90-days/readme.md
extension_passwordResetOn custom user attribute
I created the required custom user attribute.
Next, I edited the extensions file and the file for signin by changing the user journey.
Note that client id and object id are deliberately set to "test" to paste the code here.
I expect that when I register a new user it will set the date to 0 and after 90 days it will ask me for a change.
at the moment if I try to make a registration when I try to submit the form with the data I get a message saying "An invalid value was presented for a property".
An invalid value was presented for a property
I share relying party file: https://easyupload.io/a4tclj
This is my extension file:
'''
<BasePolicy>
<TenantId>b2c.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>
</BasePolicy>
<!-- <BuildingBlocks>
<ClaimsSchema>
</ClaimsSchema>
</BuildingBlocks> -->
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Facebook</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Facebook-OAUTH">
<Metadata>
<Item Key="client_id">facebook_clientid</Item>
<Item Key="scope">email public_profile</Item>
<Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Token Issuer</DisplayName>
<TechnicalProfiles>
<!-- SAML Token Issuer technical profile -->
<TechnicalProfile Id="Saml2AssertionIssuer">
<DisplayName>Token Issuer</DisplayName>
<Protocol Name="SAML2" />
<OutputTokenFormat>SAML2</OutputTokenFormat>
<CryptographicKeys>
<Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SAML" />
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAML" />
</CryptographicKeys>
<InputClaims />
<OutputClaims />
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />
</TechnicalProfile>
<!-- Session management technical profile for SAML-based tokens -->
<TechnicalProfile Id="SM-Saml-issuer">
<DisplayName>Session Management Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Local Account SignIn</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="login-NonInteractive">
<Metadata>
<!-- ProxyIdentityExperienceFrameworkAppId -->
<Item Key="client_id">1257aca9-6111-abcs-adca-d740612012fa</Item>
<!-- IdentityExperienceFrameworkAppId -->
<Item Key="IdTokenAudience">10f6e761-c111-dadd-acv0-affb3875cdaf</Item>
</Metadata>
<InputClaims>
<!-- ProxyIdentityExperienceFrameworkAppId -->
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="1257aca9-6111-abcs-adca-d740612012fa" />
<!-- IdentityExperienceFrameworkAppId -->
<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="10f6e761-c111-dadd-acv0-affb3875cdaf" />
</InputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Local Account</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="LocalAccountWritePasswordUsingObjectId">
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Azure Active Directory</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AAD-Common">
<Metadata>
<!--Insert b2c-extensions-app application ID here, for example: 11111111-1111-1111-1111-111111111111-->
<Item Key="ClientId">83axdc56-1aaa-4bbb-a666-4589cbb7a212</Item>
<!--Insert b2c-extensions-app application ObjectId here, for example: 22222222-2222-2222-2222-222222222222-->
<Item Key="ApplicationObjectId">8d93c18a-d111-4fff-8aaa-43ebedadd5b1</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<!--UserJourneys>
</UserJourneys-->
'''
this is what is see with fidler:
fidler capture
#denisdm91 As I am not able to see the files I think you might have found the issue. If not, FYI, the custom attribute you have created a portal is of type Boolean but in policy the same is of "datetime" dataatype. You need to delete the same from portal.
I was following the answer here: Multi-Tenant Azure AD Auth in Azure AD B2C with Custom Policies
And the walkthrough here: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/0129fc013ae5e66a3ee0046a5d0db2e8120d8f8e/Walkthroughs/IdP-AzureAD.md
But I wasn't able to login, the error message is something along the line:
AADB2C: An exception has occured. Correlation ID: <GUID>. Timestamp: <Time>
Furthermore, when viewing the walkthrough in latest master, the whole page has been removed and now only contains the link to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom, which does not show how to configure ClaimsProvider for multi-tenant Azure AD IDP.
The error message was not super helpful, and I'm getting lost.
My technical profile is as follow:
<ClaimsProvider>
<Domain>AzureAD</Domain>
<DisplayName>Login using Azure AD</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AzureADProfile">
<DisplayName>Azure AD</DisplayName>
<Description>Login with your Azure AD account</Description>
<Protocol Name="OpenIdConnect"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
<Item Key="authorization_endpoint">https://login.windows.net/common/oauth2/v2.0/authorize</Item>
<Item Key="client_id">MyAzureADB2CAppId</Item>
<Item Key="IdTokenAudience">MyAzureADB2CAppId</Item>
<Item Key="response_types">id_token</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="scope">openid</Item>
<Item Key="HttpBinding">POST</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_B2CSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="azureADAuthentication" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureAD" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
EDIT: After introducing User Journey Recorder as per spottedhahn's suggestion, I've managed to get the real error:
The response received from the ClaimsProvider using TechnicalProfile
"<My_Azure_AD_Common_Profile>" in policy "<My_RP_Policy>" of tenant
"<My_B2C_Tenant>" did not contain an "id_token".
The question is: Is linking multi-tenant Azure AD to Azure AD B2C still supported, and how can I configure to make that work?
When federating Azure AD B2C with Azure AD's common endpoint, you can integrate with either:
The v1.0 endpoint: https://login.microsoftonline.com/common/oauth2/authorize
The v2.0 endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
v1.0 endpoint
To integrate Azure AD B2C with the v1.0 endpoint, you must register Azure AD B2C through the Azure portal with your Azure AD tenant:
Sign in to the Azure portal.
In the top bar, select your Azure AD directory.
In the left bar, select All services and find "App registrations".
Select New application registration.
In Name, enter an application name, such as "Azure AD B2C".
In Application type, select Web app / API.
In Sign-on URL, enter https://login.microsoftonline.com/te/<tenant>/oauth2/authresp, where you replace <tenant> with the name of your Azure AD B2C tenant (such as "contosob2c.onmicrosoft.com").
Select Create.
Copy Application ID for later.
Select Settings and then select Keys.
In the Passwords section, enter a password description, select a password duration, select Save, and then copy the password value for later.
You must then create a policy key (e.g. "AzureADClientSecret") through the Azure AD B2C portal with the application secret from step 11.
You must then update the Azure AD technical profile with the following settings:
<TechnicalProfile Id="AzureADAccountProfile">
<DisplayName>Log in with your work account</DisplayName>
<Protocol Name="OpenIdConnect"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/authorize</Item>
<Item Key="client_id"><!-- Enter the application ID from step 9 --></Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="IdTokenAudience"><!-- Enter the application ID from step 9 --></Item>
<Item Key="response_types">id_token</Item>
<Item Key="scope">openid</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADClientSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" />
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />
...
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="ReferenceId="SM-Noop" />
</TechnicalProfile>
v2.0 endpoint
To integrate Azure AD B2C with the v2.0 endpoint, you must register Azure AD B2C through the Application Registration portal with your Azure AD tenant:
Sign in to the Application Registration portal.
Select Add an app.
In Application Name, enter an application name, such as "Azure AD B2C", and then select Create.
Copy Application Id for later.
In the Application Secrets section, select Generate new password and then copy the password value for later.
In the Platforms section, select Add Platform, select Web, and then enter a Redirect URL as https://login.microsoftonline.com/te/<tenant>/oauth2/authresp, where you replace <tenant> with the name of your Azure AD B2C tenant (such as "contosob2c.onmicrosoft.com").
In the bottom bar, select Save.
You must then create a policy key (e.g. "AzureADClientSecret") through the Azure AD B2C portal with the application secret from step 5.
You must then update the Azure AD technical profile with the following settings:
<TechnicalProfile Id="AzureADAccountProfile">
<DisplayName>Log in with your work account</DisplayName>
<Protocol Name="OpenIdConnect"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
<Item Key="client_id"><!-- Enter the application ID from step 4 --></Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="IdTokenAudience"><!-- Enter the application ID from step 4 --></Item>
<Item Key="response_types">id_token</Item>
<Item Key="scope">openid profile</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADClientSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" />
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />
...
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="ReferenceId="SM-Noop" />
</TechnicalProfile>
I am having some issues getting claims from an OpenID Connect provider with an Azure AD B2C custom policy.
My OIDC provider does not return any claims in the id_token, it has a separate endpoint for claims called userInfo_endpoint where you send a GET request with Bearer authentication and the access_token go get user claims in json format. I understand this is pretty standard OIDC functionality.
Most examples I see use the ClaimsEndpoint to get claims and it seems to me the claims are added to the user as part of the signin_signup user journey.
Everything up to this point works as expected, testClaim is returned from b2c as part of the id_token, but no other claims are set. I have Application Insights set up for the policy, but the endpoint /userinfo is never called by B2C, and I see no trace of it in the logs. Are OIDC /userinfo endpoints even supported?
Below is my claims provider section.
<ClaimsProvider>
<DisplayName>Provider</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="provider-oidc">
<DisplayName>Providerprofile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="client_id">preprod-provider</Item>
<Item Key="scope">openid profile</Item>
<Item Key="response_types">code</Item>
<Item Key="METADATA">https://preprod.provider.com/oidc/.well-known/openid-configuration</Item>
<Item Key="ProviderName">https://preprod.provider.com/oidc</Item>
<Item Key="state">123abc</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">true</Item>
<Item Key="authorization_endpoint">https://preprod.provider.com/oidc/authorize</Item>
<Item Key="token_endpoint">https://preprod.provider.com/oidc/token</Item>
<Item Key="ClaimsEndpoint">https://preprod.provider.com/oidc/userinfo</Item>
<Item Key="ClaimsEndpointAccessTokenName">oauth2_access_token</Item>
<Item Key="ClaimsResponseFormat">json</Item>
<!--Item Key="userinfo_endpoint">https://preprod.provider.com/oidc/userinfo</Item-->
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_ProviderClientSecret" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="providerAuthentication" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="provider" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="testClaim" DefaultValue="testValue" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Azure AD B2C does not support the userinfo_endpoint. You can request this feature in the Azure AD B2C feedback forum.
There are two workarounds for this:
At the application level - add code that, after obtaining the id_token, calls out to this userinfo_endpoint to obtain those extra claims and add them to the token for the rest of the application to leverage
At the B2C custom policy level - add a callout to a Rest API to retrieve the extra claims and add them in the token. Note that you won't be able to call the userinfo_endpoint, rather you'll need to write an in-between service that transforms the call REST call from B2C (which doesn't yet support sending an Authorization: Bearer X header) into a call to your userinfo_endpoint or to the underlying user store with the extra claims.
While the OpenIdConnect Technical Profile doesn't seem to support a userinfo endpoint, you should be able to use the OAuth2 Technical Profile together with the ClaimsEndpoint to get claims from the userinfo endpoint
The user_info endpoint is now supported in ADB2C. Please see https://learn.microsoft.com/en-us/azure/active-directory-b2c/userinfo-endpoint?pivots=b2c-custom-policy for more information.