Search code examples

How to extract info from nested external idp access token in a custom policy?

I have a custom policy which produce b2c token with nested idp_access_token. I want my b2c token to include email claim. I have email (unique_name/sub claims) in nested idp_access_token. So, is it possible to have some kind of ClaimTransformation, to extract necessary data from claim idp_access_token?

enter image description here

Update: Inside external token I have claim "unique_name". I have next claims configuration:

For Technical Profile which describes oauth interraction

 <Protocol Name="OAuth2"/>
 <Metadata> ..............</Metadata>
     <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name"/>                         
     <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}"/>

For RelyingParty:

        <DefaultUserJourney ReferenceId="SignIn" />
        <TechnicalProfile Id="PolicyProfile">
            <Protocol Name="OpenIdConnect" />
                <OutputClaim ClaimTypeReferenceId="email" />
                <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="idp_access_token"/>

I see that claims settings works for idp_access_token, but not for email.

External IDP token idp_access_token

External IDP token


If I add default value, then in response I see it in b2c token

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" DefaultValue="[email protected]" />


  • I did a call to claims endpoint and notice that email claim available as mail.

        "@odata.context": "$metadata#users/$entity",
        "businessPhones": [],
        "displayName": "....",
        "givenName": "...",
        "jobTitle": "..",
        "mail": "..",
        "mobilePhone": null,
        "officeLocation": "..",
        "preferredLanguage": null,
        "surname": "..",
        "userPrincipalName": "..",
        "id": "...."