Login/Register
Add claims into token Azure B2C
Asked Answered
Solved azure-ad-b2cazure-ad-graph-api
L

2

20

What are ways to include custom claims (user subscriptions or roles list as example) in a token before issuing it in Azure AD B2C, provided that claims are stored somewhere on own server (not available in B2C)? Goal to have claims in the token to avoid additional round trip to the storage on every request.

Investigation on the topic brought me to following ways:

  1. Add custom attribute via Graph API, configure to include in JWT. Attribute values should be kept in sync with our datastorage.

  2. Custom Sign-In Policy like in this article https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom but if I got it right, additional Step 6 is a user journey to publicly available API in non restricted way (request not secured by secret, might be used to get user claims by presented UserId)?

  3. IdentityServer4 Federation gateway http://docs.identityserver.io/en/release/topics/federation_gateway.html that will allow to add any claims before issuing.

Levity answered 31/8, 2017 at 13:18 Comment(4)
Yes, you can add claims into the Azure AD B2C token with any of the ways you outlined. Is there some other underlying question here?Jackson
@Jackson thank you for your response. I was interested is there other, maybe standard way or preferred way to add custom claims in issued token that I didn't notice? Option 2 looks as a good straightforward way, but here I'm worried is the call to /api/LookUpLoyaltyWebHook?code=MQu...w== in step 6 is b2c to api (server to server) or client (browser) to api?Levity
That call is made by the Azure AD B2C service, not by the user's browser, so server-to-server. Your Azure function code won't be leaked to the end user.Jackson
Hi @Levity & @saca Could you please help me in adding claims like groups into ADB2C Token. I have tried the second step but seems like it is not working for me. Any help in this regard would be really appreciable.Barbra
J
29

The first two mechanisms you outlined are the most common and recommended ways to include custom claims in an Azure AD B2C issued token:

  1. Add a custom attribute and include it in the JWT. You can enable the custom attribute via the B2C UI or via the Graph API. You'd need to build your own mechanism to keep the value of this attribute in B2C in sync with your external source via the Graph API.

  2. You can use a custom policy to add a step in your authentication flow to call a Rest API to obtain the claim and include it in the token. This call to the Rest API will be performed by the Azure AD B2C service and NOT the user's browser, so it'll be a service-to-service call (versus a client-to-service call), keeping any secrets you use for authentication with your Rest API safe (such as a Azure function code).

Jackson answered 10/9, 2017 at 20:45 Comment(1)
As I understand if I want to go with option 1, I have to include this custom attributed to one of the user flows? I have a pretty similar case as the author of this thread, but I do not want to expose custom attributes in Sign-In and Sign-Up pages. I'd like to have custom fields managed by another service (I already did it with Graph API) and I want to include it into JWT token.Survive
U
0

Another option is now available for built-in user flows.

Built-in User Flows

API connectors are now available in Azure AD B2C. This allows retrieving additional data from an API and including it in the JWT sent to the application. In this case, Before sending the token (preview) would be the API connector type to use.

Custom Policies

Add an orchestration step in your user journey to call a Rest API to obtain the claim(s) and include it in the token.

This call to the Rest API will be performed by the Azure AD B2C service and NOT the user's browser, so it'll be a service-to-service call (versus a client-to-service call), keeping any secrets you use for authentication with your Rest API safe (such as a Azure function code).

Updated documentation on how to implement this is available on the API Connectors for custom policies documentation.

Available in both

Add a custom attribute and include it in the JWT. You can add the custom attribute via the B2C UI or via the Graph API.

You'd need to build your own mechanism to keep the value of this attribute in B2C in sync with your external source via the Graph API.

Note: Adding custom attributes via the Graph API results in a bug that it is not shown in the User Attributes blade.

This answer builds on the information previously provided by saca in their answer

Unclog answered 23/12, 2023 at 12:48 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.