Login/Register
Azure AD B2C - Refresh_Token refresh claims via REST (Identity Experience Framework)
Asked Answered
azure-ad-b2cidentity-experience-framework
E

1

6

We have Azure AD B2C setup to use Identity Experience Framework, and on sign-in/sign-up a REST call is made to get extra security credential claims via an Azure Function. This works fine.

When we request an Access/Id Token via Refresh_Token via Azure AD B2C it looks like we get the same token back, and it doesn't call the REST API to get the latest updated token claims. Is it possible to make change this User Journey so it does?

Is there another solution to refresh token without logging in again to get latest updates?

(We could get around this in code and not using the Token, but for various reasons we want to explore this first).

Espousal answered 29/3, 2018 at 6:24 Comment(0)
L
2

You can declare a refresh token user journey, which calls your REST API, as follows:

<UserJourney Id="TokenRefresh">
  <PreserveOriginalAssertion>false</PreserveOriginalAssertion>
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="RefreshTokenExchange" TechnicalProfileReferenceId="TpEngine_RefreshToken" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <!-- TODO: Add an orchestration step that calls the REST API. -->
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
</UserJourney>

The initial orchestration step invokes the TpEngine_RefreshToken technical profile that reads the objectId claim from the current refresh token:

<ClaimsProvider>
  <DisplayName>Trustframework Policy Engine Technical Profiles</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13">
      <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>
      <Protocol Name="None" />
      <Metadata>
        <Item Key="url">{service:te}</Item>
      </Metadata>
    </TechnicalProfile>
    <TechnicalProfile Id="TpEngine_RefreshToken">
      <DisplayName>Trustframework Policy Engine Refresh Token Technical Profile</DisplayName>
      <Protocol Name="None" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
      </OutputClaims>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

The second orchestration step invokes the AAD-UserReadUsingObjectId technical profile that reads claims from the Azure AD B2C directory for the signed-in user by the objectId claim.

Another orchestration step can call your REST API.

The final orchestration step issues new tokens.

You must reference the TokenRefresh user journey using the RefreshTokenUserJourneyId metadata item with the JwtIssuer technical profile so that tokens that are issued by this technical profile are refreshed by this user journey:

<ClaimsProvider>
  <DisplayName>Token Issuer</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="JwtIssuer">
      <DisplayName>JWT Issuer</DisplayName>
      <Protocol Name="None" />
      <OutputTokenFormat>JWT</OutputTokenFormat>
      <Metadata>
        <Item Key="client_id">{service:te}</Item>
        <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
        <Item Key="RefreshTokenUserJourneyId">TokenRefresh</Item>
        <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
        <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
      </CryptographicKeys>
      <InputClaims />
      <OutputClaims />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>
Letitialetizia answered 1/4, 2018 at 23:16 Comment(13)
Thanks for the detailed answer Chris. When trying this though we get this error: { "error": "invalid_grant", "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: 76b2e073-0015-4f63-9ef1-ae004822c59b\r\nTimestamp: 2018-04-03 04:26:23Z\r\n" } I am not sure how to debug this - I tried removing our ClaimsExchange REST call and it didn't work either (although it hadn't been called in any case)Espousal
I will attempt to reproduce that.Letitialetizia
@ChrisPadgett did you manage to reproduce this? I'm also looking to refresh the claims returned in my refresh token.Athiste
@tank104, my answer here might be relevant. In short: while using authorization code flow I received error AADB2C90085 because my TokenSIgningKeyContainer / TokenEncryptionKeyContainer were incorrectly generated.Docket
@Docket I am also getting the same error, but my keys are correctly generated as per the b2c documentation you linked to in your post.Athiste
@ChrisPadgett did you manage to reproduce this? I've just revisited it and am still getting the same error. I'd love some documentation around this!Athiste
Hi @Chrift: No, I haven't been able to reproduce this, sorry. If you enable logging then the error logs might be sent to Application Insights. I haven't attempted this with the token refresh journey but it might help to assist with the error troubleshooting.Letitialetizia
I am fortunate enough to be working at a place that has elevated microsoft support at the moment, so I opened a ticket for this and was told, after guiding the ms support guy through our policy files, that the steps outlined above weren't actually supported yet and they were part of something that wasn't even in preview yet. Is this your understanding?Athiste
Hi @Athiste That is my current understanding as well.Letitialetizia
Hi @Athiste Note that the token refresh journey is documented in the Configure the resource owner password credentials flow in Azure Active Directory B2C using a custom policy article so you may wish to revisit this.Letitialetizia
@ChrisPadgett I just wanted to check back with you if there is a solution for this now?Espousal
There is sample now in official docs how to handle refresh tokens: github.com/Azure-Samples/…Sielen
I try to use that refresh token journey, but get the same invalid_grant error. I created a post #77319358Infeld

© 2022 - 2024 — McMap. All rights reserved.