azure-ad-b2c

Send Azure AD B2C Claims That Are Hidden from the User

I'm sending claims to B2C via a JWT following the WingTig Games demo code. How do I hide the claims on my self-asserted signup TechnicalProfile from the user (LocalAccountSignUpWithLogonNameWithIDs shown below)?

I've tried removing the UserInputType node from my ClaimType definition but then I get the following error in the User Journey Player:

Output claim type "extension_my_claim" specified in the technical profile with id "LocalAccountSignUpWithLogonNameWithIDs" in policy "B2C_1A_signup_signin_extensions" of tenant "mytenant.onmicrosoft.com" does not specify a UserInputType or a DefaultValue, and is not retrieved from a ValidationTechnicalProfile either.

So then I removed my claims from the InputClaims and OutputClaims of that TechnicalProfile and that removed the error but the values were not persisted then.

<TechnicalProfile Id="LocalAccountSignUpWithLogonNameWithIDs">
    <DisplayName>User ID signup with associate and org id</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
        <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
        <Item Key="LocalAccountType">Username</Item>
        <Item Key="LocalAccountProfile">true</Item>
        <Item Key="language.button_continue">Create</Item>
    </Metadata>
    <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
    </CryptographicKeys>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" />
        <InputClaim ClaimTypeReferenceId="extension_my_claim" /> 
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" Required="true" />
        <OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
        <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
        <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
        <OutputClaim ClaimTypeReferenceId="email" Required="true" />
        <OutputClaim ClaimTypeReferenceId="extension_my_claim" Required="true"/>
        <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="newUser" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    </OutputClaims>
    <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonName" />
    </ValidationTechnicalProfiles>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
Solution

  • If you want to persist the claim in the directory without showing it to the user, the best option would be:

    1. Add it as an InputClaim to the LocalAccountSignUpWithLogonNameWithIDs technical profile
    2. Add it as a PersistedClaim in the AAD-UserWriteUsingLogonName technical profile, which will write it to the directory

    All you are doing is sending the claim in all the way for persistence, but declaring that you do not want an OutputClaim from the SelfAssertedAttributeProvider.

    When you add the claim as an OutputClaim, then you are declaring that SelfAssertedAttributeProvider needs to have a way to get the value. As of today, it can be sourced from any one of the three possible ways:

    1. Provided by the user (which requires UserInputType in the ClaimType definition)
    2. Retrieved from a ValidationTechnicalProfile
    3. Provided as a DefaultValue of the OutputClaim in the policy

    The error you were getting was likely because there was no way for the SelfAssertedAttributeProvider technical profile to get a value for this claim.