Claudio Resende
Claudio Resende

Reputation: 91

Add custom claims to azure b2c client credentials flow

I have configured b2c as an Authorization Server for client credentials flow, I would like to add a claim to the token, so I could send it to the backend service in APIM using policy. But I could not find a way to add this extra claim to the token so I could use it on the APIM. Note: it was possible using Authorization Code flow, but the claims are not being passed through the request when using client credentials.

Is there a way for achieving that?

Upvotes: 3

Views: 2195

Answers (2)

Stefan
Stefan

Reputation: 17658

Facing this issue myself, I documented the steps to get there.

1 Set up the resource app and client as usual

So, first, configure the client credentials flow as described here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/client-credentials-grant-flow?pivots=b2c-custom-policy

This is pretty straight forward, up till (and including) step 3. About step 3: pay attention to this line:

Replace with the full name of your user flow, or custom policy. Note, all types of user flows and custom policies support client credentials flow. You can use any user flow or custom policy you have, or create a new one, such as sign-up or sign-in.

It notes all user flows support client_credentials, however, although, when targetting a user flow, the API connector (which can normally be used to enrich a token will not be called).

2 Prepare the custom policies

As by documentation, set up signing and encryption keys:

Create the signing key

  • Select Policy Keys and then select Add.
  • For Options, choose Generate.
  • In Name, enter TokenSigningKeyContainer. The prefix B2C_1A_ might be added automatically.
  • For Key type, select RSA.
  • For Key usage, select Signature. Select Create.

Create the encryption key

  • Select Policy Keys and then select Add.
  • For Options, choose Generate.
  • In Name, enter TokenEncryptionKeyContainer. The prefix B2C_1A_ might be added automatically.
  • For Key type, select RSA.
  • For Key usage, select Encryption.
  • Select Create.

Upload base policies

Install the base policies from the starter pack, also see github

There are several similar files, but the ones under LocalAccounts are sufficient for just enriching the JWT.

Make sure you replace the tenant name with yours.

Upload these into the custom policies.

3 Upload the ClientCredentialsFlow

The ClientCredentialsFlow.xml policy can now be uploaded. Make sure you replace the tenant name with yours.

Login using application client ID and secret

Login and you should receive an enriched token. You can start customizing the example policy accordingly.


    url = "https://<yourtenant>.b2clogin.com/<yourtenant>.onmicrosoft.com" + 
          "/B2C_1A_DEMO_CLIENTCREDENTIALSFLOW/oauth2/v2.0/token"

    #the scope as described,typically it looks like this
    scope = "https://<yourtenant>.onmicrosoft.com/<resource server id>/.default"

    response = requests.post( url,
            data={'grant_type':'client_credentials', 
                  'client_id':client, 
                  'client_secret':secret, 
                  'scope':scope},
            headers = {'Content-Type': 'application/x-www-form-urlencoded'}
        )

Upvotes: 1

Jas Suri - MSFT
Jas Suri - MSFT

Reputation: 11315

You cannot do claims customization with Azure AD client_credential flow. We will release Azure AD B2C client credential flow, which will allow claims customization using a custom policy, similar to authorization code flow, in the future.

Upvotes: 4

Related Questions