How to extract info from nested external idp access token in a custom policy?
I have a custom policy which produce b2c token with nested idp_access_token. I want my b2c token to include email claim. I have email (unique_name/sub claims) in nested idp_access_token. So, is it possible to have some kind of ClaimTransformation, to extract necessary data from claim idp_access_token?
Update: Inside external token I have claim "unique_name". I have next claims configuration:
For Technical Profile which describes oauth interraction
<Protocol Name="OAuth2"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata> ..............</Metadata>
<CryptographicKeys>...</CryptographicKeys>
<InputClaims>...</InputClaims>
<OutputClaims>
.........
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name"/>
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}"/>
</OutputClaims>
For RelyingParty:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
....
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="idp_access_token"/>
</OutputClaims>
</TechnicalProfile>
</RelyingParty>
I see that claims settings works for idp_access_token, but not for email.
External IDP token idp_access_token
Update
If I add default value, then in response I see it in b2c token
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" DefaultValue="test@email.com" />
Solution
I did a call to claims endpoint https://graph.microsoft.com/v1.0/me and notice that email claim available as mail.
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"businessPhones": [],
"displayName": "....",
"givenName": "...",
"jobTitle": "..",
"mail": "..",
"mobilePhone": null,
"officeLocation": "..",
"preferredLanguage": null,
"surname": "..",
"userPrincipalName": "..",
"id": "...."
}
- request to token url returning 400 bad request for google oauth2?
- Enabling and Configuring Password History on Cognito
- Where to store the refresh token on the Client?
- Keycloak-Remix integration: where should I place the checks?
- Using PHPMailer when already have an access token
- Why is the IDP responding with Invalid Signature for a client assertion JWT
- Securing an azure API with oauth: Able to retrieve a token but token is invalid
- Spring Security 5.2 Password Flow
- Why Doesn't my Authorization Header need "Bearer"?
- Add role based authentication using next-auth in NextJS
- No qualifying bean of type 'org.springframework.security.oauth2.client.registration.ClientRegistrationRepository' available
- JakartaEE 10 OpenIdAuthenticationMechanism failed with Auth0
- Aws Cognito Oauth2: Refresh token rotation
- How to securely store api credentials in a native appliaction in a cross-platform manner
- KeyCloak Java Service Account Create User
- Get Google business reviews server side
- SpringBoot OAuth2 with Keycloak not returning mapped Roles as Authorities
- What is the purpose of the "access_token=" parameter when downloading a file from Google Drive?
- java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer
- How do I implement social login with GitHub accounts?
- portainer keycloak 20 oauth login "unauthorized" / "Unable to login via OAuth"
- Google Oauth2 redirect_uri_mismatch when send request from localhost
- Google OAuth 2 authorization - Error: redirect_uri_mismatch
- Use Entra ID as Identity Provider for Client Credentials flow
- Should access tokens be refreshed automatically or manually?
- OIDC login flow breaks in react strict mode for react-admin v5
- M2M Client Credential Flow between NetSuite and Synapse
- LWA : Not able to exchange Authorization Code for AccessToken : invalid_grant
- How to authenticate resource owner with JWT when sending request to /oauth2/authorize?
- Google Cloud Function - Invalid login