Reputation: 919
Email claim missing in Azure B2C User Flow
I have B2C tenant xxx.onmicrosoft.com and account [email protected].
I have API Connector (Azure Function called B2CRoleAssignment) that gets triggered before including application claims in token (Preview).
When I first attempt to sign into my SPA application with [email protected] this is the following payload my API Connector (Azure Function) receives:
{
"step":"PreTokenIssuance",
"client_id":"XXXXYYYY-XXXX-YYYY-ZZZZ-d6b8da8e942a",
"ui_locales":"en-US",
"email":"[email protected]",
"objectId":"AAAABBBB-CCCC-DDDD-EEEE-ad37b0ec108e",
"displayName":"admin"
}
When I close my SPA application and open it again, this is the payload API Connector (Azure Function) receives:
{
"step":"PreTokenIssuance",
"client_id":"XXXXYYYY-XXXX-YYYY-ZZZZ-d6b8da8e942a",
"ui_locales":"en-US",
"objectId":"AAAABBBB-CCCC-DDDD-EEEE-ad37b0ec108e",
"displayName":"admin"
}
How come the email claim is missing? On my Sign up and sign in User Flow I have selected Email Addresses application claim, but that doesn't seem to be working or doing anything at all.
The interesting thing is, this appears to only be a problem with accounts ending with @xxx.onmicrosoft.com.
Upvotes: 1
Views: 3594
Answers (1)
Reputation: 5169
• The email claim is missing during the sign in and signup user flow when selecting the API connector because the Azure function app is being considered by the Azure AD B2C as an untrusted domain website/application since the session is interrupted by closing and reopening the same due to which the session token might be considered expired/invalid immediately. As a result of which, the ‘email’ claim is omitted.
Thus, because of this, the email claim attribute might be returned null in the ‘application/json’ file as its value in the column might be missing or unknown. Hence, I would suggest you to please use the custom policies for signin or signup instead of default user flows in the Azure AD B2C console. Also, ensure that in the sign in and sign-up custom policy starter pack or the default custom policy in which editing needs to be done, do add the below claims in the custom policy output claims such that you will get the ‘email’ as an attribute in the response decoded token since adding the below claims will allow you to sign in through multiple claim attributes and you might not be getting email claim when using other claim types other than email.
<!-- This was already here -->
<OutputClaim ClaimTypeReferenceId="email" />
<!-- Added claim -->
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress"
PartnerClaimType="email" />
To find the default custom policy starter pack, refer the below link for more details: -
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
Also, to know more regarding the above issue and its accepted solution, kindly refer to the below community link: -
Why is email not returned with api connector when SSO with azure b2c?
Upvotes: 5
Related Questions
- Azure B2C user flow without an email
- Azure Ad b2c: Get email in Claims after successfully Signin in azure ad b2c
- Azure B2C SAML Email Claim
- AZURE b2C Signin Flow shows only Email signup
- Azure AD B2C missing email claim with local account and user id sign-in
- Azure AD B2C - Populating email in input claim from previous orchestration step and Verify.email not working alongwith
- Azure AD B2C - "emails" claim in custom policy
- Email claims not populated with custom policies in Azure B2C
- Email missing in Claim - How to find what is passing from B2C and fix?
- Why Does the Email Claim Need to be an Input Claim in my TechnicalProfile