Search code examples
oauth-2.0azure-ad-b2cazure-ad-b2c-custom-policyidentity-experience-framework

How to extract info from nested external idp access token in a custom policy?


I have a custom policy which produce b2c token with nested idp_access_token. I want my b2c token to include email claim. I have email (unique_name/sub claims) in nested idp_access_token. So, is it possible to have some kind of ClaimTransformation, to extract necessary data from claim idp_access_token?

enter image description here

Update: Inside external token I have claim "unique_name". I have next claims configuration:

For Technical Profile which describes oauth interraction

 <Protocol Name="OAuth2"/>
 <OutputTokenFormat>JWT</OutputTokenFormat>
 <Metadata> ..............</Metadata>
 <CryptographicKeys>...</CryptographicKeys>
 <InputClaims>...</InputClaims>
 <OutputClaims>    
     .........               
     <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name"/>                         
     <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}"/>
     </OutputClaims>

For RelyingParty:

 <RelyingParty>
        <DefaultUserJourney ReferenceId="SignIn" />
        <TechnicalProfile Id="PolicyProfile">
            <DisplayName>PolicyProfile</DisplayName>
            <Protocol Name="OpenIdConnect" />
            <OutputClaims>
             ....
                <OutputClaim ClaimTypeReferenceId="email" />
                <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="idp_access_token"/>
            </OutputClaims>
        </TechnicalProfile>
</RelyingParty>

I see that claims settings works for idp_access_token, but not for email.

External IDP token idp_access_token

External IDP token

Update

If I add default value, then in response I see it in b2c token

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" DefaultValue="[email protected]" />

Solution

  • I did a call to claims endpoint https://graph.microsoft.com/v1.0/me and notice that email claim available as mail.

    {
        "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
        "businessPhones": [],
        "displayName": "....",
        "givenName": "...",
        "jobTitle": "..",
        "mail": "..",
        "mobilePhone": null,
        "officeLocation": "..",
        "preferredLanguage": null,
        "surname": "..",
        "userPrincipalName": "..",
        "id": "...."
    }