I have a custom policy which produce b2c token with nested idp_access_token
. I want my b2c token to include email
claim. I have email (unique_name/sub claims
) in nested idp_access_token
. So, is it possible to have some kind of ClaimTransformation, to extract necessary data from claim idp_access_token
?
Update: Inside external token I have claim "unique_name"
. I have next claims configuration:
For Technical Profile which describes oauth interraction
<Protocol Name="OAuth2"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata> ..............</Metadata>
<CryptographicKeys>...</CryptographicKeys>
<InputClaims>...</InputClaims>
<OutputClaims>
.........
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name"/>
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}"/>
</OutputClaims>
For RelyingParty:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
....
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="idp_access_token"/>
</OutputClaims>
</TechnicalProfile>
</RelyingParty>
I see that claims settings works for idp_access_token, but not for email.
External IDP token idp_access_token
Update
If I add default value, then in response I see it in b2c token
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" DefaultValue="[email protected]" />
I did a call to claims endpoint https://graph.microsoft.com/v1.0/me
and notice that email claim available as mail
.
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"businessPhones": [],
"displayName": "....",
"givenName": "...",
"jobTitle": "..",
"mail": "..",
"mobilePhone": null,
"officeLocation": "..",
"preferredLanguage": null,
"surname": "..",
"userPrincipalName": "..",
"id": "...."
}