Search code examples
azureazure-active-directoryazure-ad-b2cfederated-identityazure-ad-b2c-custom-policy

ID token from Azure AD federation does not contains "roles" claim

I created a Azure B2C tenant and i created custom IDP for Azure Active Directory (AD). I created the user flow from B2C to federate to the Azure AD and get the access token.

Steps that i have followed.

  • Created azure AD application
  • Generated a secret
  • Created custom roles
  • Assigned custom roles to users from AD Enterprise Applications
  • Created an IDP in B2C
  • Created B2C app
  • Created a login policy
  • Added IDP for federation
  • Run the user flow
  • Login by federation

The azure AD successfully retrieves the token (idp_access_token) as a result of federation. but the issue is the token that retrieve from the azure AD does not contains roles claim. I have created two app roles and assigned them to user. But i couldn't see any roles inside the token.

I followed following documentation. https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

Isn't this not valid for federations? What is the exact way to get assigned app roles by federation.

enter image description here

Here is the required details to create B2C IDP.

enter image description here

How to map these details with scope solution?

Solution

  • You need to create two applications in Azure AD, one representing the client application and the other representing the api application, and then use the client application to call the api application.

    First, you need to expose the API of the back-end application protected by Azure and add the client application:

    enter image description here

    Next you need to set the api application AppRole, which is your customized role, and it will be displayed in the manifest.

    enter image description here

    Then you can assign the role to the user. Go to enterprise application>your api application>Users and groups.

    enter image description here

    Next, go to the client application, give your client application access to your backend api:

    • Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
    • Find your backend application and select the appropriate scope.
    • Click 'Add permissions'.
    • Grant admin consent for your APIs.

    Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.

    enter image description here

    Parse the v2.0 token, it contains both scp claims and roles claims.

    enter image description here