I am currently working on an Azure AD B2C custom policy that enables users to have multiple identities (Google, Microsoft, Apple, and Entra ID). The Entra ID ClaimsProvider sets an entraTenantId claim derived from the iss claim, which is then sent to the application via RelyingParty.
However, I have noticed that after the application acquires a new token using grant_type: refresh_token, the UserJourney RedeemRefreshToken does not return the entraTenantId or identityProvider, which are crucial for my application's functionality.
Could someone please advise on how to ensure that the entraTenantId and identityProvider are included in the refreshed token or suggest alternative approaches to address this issue?
I attempted to address the issue by adding the entraTenantId output claim to the RefreshTokenReadAndSetup ClaimsProvider, but unfortunately, this adjustment did not yield the expected outcome.
My objective is to retrieve and output the name of the provider that the user originally used to sign in from the RedeemRefreshToken journey.
The solution I am pursuing is based on the SocialAndLocalAccounts example provided by Azure AD B2C.
Thank you!
In case anyone else is having the same issue, I finally got it working by just adding the claims to RefreshTokenReadAndSetup TechnicalProfile. There is no clear mention in the docs, but AAD B2C is able to use the original authetication context when issuing the new token.
<ClaimsProvider>
<DisplayName>Refresh token journey</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="RefreshTokenReadAndSetup">
<DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>
<Protocol Name="None" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="refreshTokenIssuedOnDateTime" />
<OutputClaim ClaimTypeReferenceId="entraTenantId" PartnerClaimType="entra_id_tenant" />
<OutputClaim ClaimTypeReferenceId="identityProvider" />
</OutputClaims>
</TechnicalProfile>