DEVHIDE
Login Or Sign up

How to extract info from nested external idp access token in a custom policy?

203 Views Asked by At

I have a custom policy which produce b2c token with nested idp_access_token. I want my b2c token to include email claim. I have email (unique_name/sub claims) in nested idp_access_token. So, is it possible to have some kind of ClaimTransformation, to extract necessary data from claim idp_access_token?

enter image description here

Update: Inside external token I have claim "unique_name". I have next claims configuration:

For Technical Profile which describes oauth interraction

 <Protocol Name="OAuth2"/>
 <OutputTokenFormat>JWT</OutputTokenFormat>
 <Metadata> ..............</Metadata>
 <CryptographicKeys>...</CryptographicKeys>
 <InputClaims>...</InputClaims>
 <OutputClaims>    
     .........               
     <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name"/>                         
     <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}"/>
     </OutputClaims>

For RelyingParty:

 <RelyingParty>
        <DefaultUserJourney ReferenceId="SignIn" />
        <TechnicalProfile Id="PolicyProfile">
            <DisplayName>PolicyProfile</DisplayName>
            <Protocol Name="OpenIdConnect" />
            <OutputClaims>
             ....
                <OutputClaim ClaimTypeReferenceId="email" />
                <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="idp_access_token"/>
            </OutputClaims>
        </TechnicalProfile>
</RelyingParty>

I see that claims settings works for idp_access_token, but not for email.

External IDP token idp_access_token

External IDP token

Update

If I add default value, then in response I see it in b2c token

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" DefaultValue="[email protected]" />
oauth-2.0 azure-ad-b2c azure-ad-b2c-custom-policy identity-experience-framework
Original Q&A
2

There are 2 best solutions below

0
Anton Putau On BEST ANSWER

I did a call to claims endpoint https://graph.microsoft.com/v1.0/me and notice that email claim available as mail.

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
    "businessPhones": [],
    "displayName": "....",
    "givenName": "...",
    "jobTitle": "..",
    "mail": "..",
    "mobilePhone": null,
    "officeLocation": "..",
    "preferredLanguage": null,
    "surname": "..",
    "userPrincipalName": "..",
    "id": "...."
}
2
rbrayb On

I presume you are logging into an eternal IDP?

In which case, you could get the email attribute via the IDP mapping in the IDP ClaimsProviders element.

Related Questions in OAUTH-2.0

Related Questions in AZURE-AD-B2C

Related Questions in AZURE-AD-B2C-CUSTOM-POLICY

Related Questions in IDENTITY-EXPERIENCE-FRAMEWORK

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.