We set custom claims in our custom B2C policies.
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
</OutputClaims>
Theses claims get automatically added to both the ID and Access Token. However, we do not want these claims to be automatically added on the access token as they have no purpose here and will be flagged as a Security concern by our policies as they contain personal information and not required for use when we request and pass access token.
I cannot find any information in the MS docs on how to remove or hide these claims. The claims in question below are name, given_name, family_name.
{
"iss": "xxx",
"exp": xxx,
"nbf": xxx,
"aud": "xxx",
"tid": "xxx",
"name": "Overflow, Stack",
"idp": "xxx",
"sub": "xxx",
"given_name": "Stack",
"family_name": "Overflow",
"nonce": "xxx",
"scp": "xxx",
"azp": "xxxx",
"ver": "1.0",
"iat": xxx,
}