Search code examples
azureazure-ad-b2cazure-ad-b2c-custom-policy

Is there a way to remove the "extension" prefix from custom attributes included in ID tokens in Azure AD B2C?

About custom attributes in Azure AD B2C. Is there a way to remove the "extension" prefix from custom attributes included in ID tokens in Azure AD B2C?

When defining a custom attribute in Azure AD B2C, The attribute will have the prefix "extension" in the ID token parameter. Is there a way to remove the "extension" prefix?

For example, I want to get "extension_sampledata" as "sampledata"

I couldn't remove it from the Azure AD B2C user flow, so I'm trying a custom policy.

Solution

  • I don't think you can change that in user flows, but you definitely can with custom policies.

    Option 1 - RelyingParty defintion

    In your RelyingParty definition, you can specify a PartnerClaimType which is the name B2C will use for a claim in the token.

    For example, the RelyingParty definition:

    <RelyingParty>
  <DefaultUserJourney ReferenceId="SignIn"/>
  <UserJourneyBehaviors>
    <SingleSignOn Scope="Tenant" />
  </UserJourneyBehaviors>
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>OpenIdConnectProfile</DisplayName>
    <Protocol Name="OpenIdConnect"/>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="extension_sampledata" PartnerClaimType="sampledata" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
  </TechnicalProfile>
</RelyingParty>

    Would generate a token that contains the following claims (in addition to the standard claims):

    {
  "sub": "93575208-fd44-46fe-bafd-3156565027b3",
  "displayName": "Test User",
  "sampledata": "<Your data here>"
}

    Option 2 - ClaimType definition

    Alternatively, you can specify the same thing in the ClaimType definition itself:

    <ClaimType Id="extension_sampledata">
  <DisplayName>Sample Data</DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="sampledata" />
    <Protocol Name="OpenIdConnect" PartnerClaimType="sampledata" />
  </DefaultPartnerClaimTypes>
</ClaimType>

    That then automatically applies the appropriate PartnerClaimType, depending on the protocol.

    For example, the RelyingParty definition:

    <RelyingParty>
  <DefaultUserJourney ReferenceId="SignIn"/>
  <UserJourneyBehaviors>
    <SingleSignOn Scope="Tenant" />
  </UserJourneyBehaviors>
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>OpenIdConnectProfile</DisplayName>
    <Protocol Name="OpenIdConnect"/>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="extension_sampledata" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
  </TechnicalProfile>
</RelyingParty>

    Would still generate a token that contains the following claims (in addition to the standard claims):

    {
  "sub": "93575208-fd44-46fe-bafd-3156565027b3",
  "displayName": "Test User",
  "sampledata": "<Your data here>"
}