azure-ad-b2cidentity-experience-framework

Cant extract claim form id_token_hint

Not able to extract claim from id_token_hint:

<ClaimType Id="email">
   <DisplayName>Email Address</DisplayName>
   <DataType>string</DataType>
 </ClaimType>
 ....
<TechnicalProfile Id="IdTokenHint_ExtractClaims">
  <DisplayName> My ID Token Hint TechnicalProfile</DisplayName>
  <Protocol Name="None" />
  <Metadata>      
  <Item Key="METADATA">https://someapp.azurewebsites.net/api/.well-known/openid-configuration</Item>
  <Item Key="IdTokenAudience">id</Item>
  </Metadata>
  <OutputClaims>
     <OutputClaim ClaimTypeReferenceId="email" />  
  </OutputClaims>
</TechnicalProfile>

When I look at logs, I see no email in a Statebag and orchestration steps work in the way like claim missed. I am confident b2c validates id_token_hint, because I receive error message in case of expired token or invalid audience.

My id_token_hint:

enter image description here

I invoke policy like this:

https://myapp.b2clogin.com/myapp.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_SIGNIN_MAGICLINK&client_id=my_client_id&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms%2F&scope=openid&response_type=id_token&id_token_hint=MY_TOKEN

Solution

  • Something that is not immediately obvious is that you have to declare claims that your policy accepts from the token in the RelyingParty element. I hit this issue myself as well.

    Example:

    <RelyingParty>
  <DefaultUserJourney ReferenceId="SignUp" />
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <InputClaims>
      <!-- THIS PART -->
      <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="userId" />
    </InputClaims>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="givenName" />
      <OutputClaim ClaimTypeReferenceId="surname" />
      <OutputClaim ClaimTypeReferenceId="email" />
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
      <OutputClaim ClaimTypeReferenceId="identityProvider" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
  </TechnicalProfile>
</RelyingParty>

    Dcoumentation: https://learn.microsoft.com/en-us/azure/active-directory-b2c/id-token-hint#configure-your-policy