How to extract info from nested external idp access token in a custom policy?
I have a custom policy which produce b2c token with nested idp_access_token. I want my b2c token to include email claim. I have email (unique_name/sub claims) in nested idp_access_token. So, is it possible to have some kind of ClaimTransformation, to extract necessary data from claim idp_access_token?
Update: Inside external token I have claim "unique_name". I have next claims configuration:
For Technical Profile which describes oauth interraction
<Protocol Name="OAuth2"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata> ..............</Metadata>
<CryptographicKeys>...</CryptographicKeys>
<InputClaims>...</InputClaims>
<OutputClaims>
.........
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name"/>
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}"/>
</OutputClaims>
For RelyingParty:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
....
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="idp_access_token"/>
</OutputClaims>
</TechnicalProfile>
</RelyingParty>
I see that claims settings works for idp_access_token, but not for email.
External IDP token idp_access_token
Update
If I add default value, then in response I see it in b2c token
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" DefaultValue="test@email.com" />
Solution
I did a call to claims endpoint https://graph.microsoft.com/v1.0/me and notice that email claim available as mail.
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"businessPhones": [],
"displayName": "....",
"givenName": "...",
"jobTitle": "..",
"mail": "..",
"mobilePhone": null,
"officeLocation": "..",
"preferredLanguage": null,
"surname": "..",
"userPrincipalName": "..",
"id": "...."
}
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Passport - Node.js not returning Refresh Token
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- Spring Gateway and OAuth
- OAuth Client Credential Flow - Refresh Tokens
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- Add OAuth authentication for HTTP request triggers
- OAuth2 implementation and user management Django
- How to enable a submit button if form fields are auto-filled by the browser using saved credentials on page load?
- AADSTS70000 Error When Requesting for Access Token
- Is storing an OAuth token in cookies bad practice?
- Spring OAuth2 client performs Back-Channel Logout with an expired ID token
- I/O error on GET request for "https://localhost/application/o/{name}/.well-known/openid-configuration": Connection refused
- Restrict Microsoft Azure App OAuth2.0 to Internal Users
- How can I "Get Microsoft Teams Users" Using of Microsoft Graph API
- unsupported_grant_type error for authorization_code grant type: Spring Security OAuth2