Reputation: 91
I have configured b2c as an Authorization Server for client credentials flow, I would like to add a claim to the token, so I could send it to the backend service in APIM using policy. But I could not find a way to add this extra claim to the token so I could use it on the APIM. Note: it was possible using Authorization Code flow, but the claims are not being passed through the request when using client credentials.
Is there a way for achieving that?
Upvotes: 3
Views: 2195
Reputation: 17658
Facing this issue myself, I documented the steps to get there.
So, first, configure the client credentials flow as described here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/client-credentials-grant-flow?pivots=b2c-custom-policy
This is pretty straight forward, up till (and including) step 3. About step 3: pay attention to this line:
Replace with the full name of your user flow, or custom policy. Note, all types of user flows and custom policies support client credentials flow. You can use any user flow or custom policy you have, or create a new one, such as sign-up or sign-in.
It notes all user flows support client_credentials
, however, although, when targetting a user flow, the API connector (which can normally be used to enrich a token will not be called).
As by documentation, set up signing and encryption keys:
Install the base policies from the starter pack, also see github
There are several similar files, but the ones under LocalAccounts are sufficient for just enriching the JWT.
Make sure you replace the tenant name with yours.
Upload these into the custom policies.
The ClientCredentialsFlow.xml policy can now be uploaded. Make sure you replace the tenant name with yours.
Login and you should receive an enriched token. You can start customizing the example policy accordingly.
url = "https://<yourtenant>.b2clogin.com/<yourtenant>.onmicrosoft.com" +
"/B2C_1A_DEMO_CLIENTCREDENTIALSFLOW/oauth2/v2.0/token"
#the scope as described,typically it looks like this
scope = "https://<yourtenant>.onmicrosoft.com/<resource server id>/.default"
response = requests.post( url,
data={'grant_type':'client_credentials',
'client_id':client,
'client_secret':secret,
'scope':scope},
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
)
Upvotes: 1
Reputation: 11315
You cannot do claims customization with Azure AD client_credential flow. We will release Azure AD B2C client credential flow, which will allow claims customization using a custom policy, similar to authorization code flow, in the future.
Upvotes: 4