azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

How to pass access token from custom IdP

Open pzejer opened this issue 2 years ago • 6 comments

I have a scenario in which I want use custom IdP with B2C in the exactly same scenario as in this article. I read that "Azure AD B2C supports passing the access token of [OAuth 2.0] identity providers, which include [Facebook] and [Google]. For all other identity providers, the claim is returned blank. Is it possible to pass access token from custom IdP? I used the custom policy template 'SocialAndLocalAccounts' and I have OpenID connection with custom IdP but I have no idea how to make OAuth connection flow to custom IdP and passing my own scope in the Authorization Code Flow.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

pzejer avatar Feb 14 '23 08:02 pzejer

@pzejer It would be great if you could add a link to the documentation you are following for these steps? This would help us redirect the issue to the appropriate team. Thanks!

Naveenommi-MSFT avatar Feb 14 '23 15:02 Naveenommi-MSFT

Yes. About access token which is blank here: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory-b2c/idp-pass-through-user-flow.md

I tired to make my own template "TrustFrameworkExtensions.xml" with OAuth technical profile to my custom IdP but it didn't work out

pzejer avatar Feb 14 '23 16:02 pzejer

To be more clear - I did it by User flow. I add custom OpenID Provider. Then I configure in application claims to have it a "Identity Provider Access Token" + regular user info like email, display name etc. On the definition of my IdP I add scope like openid profile {and my magic scope to get the special user session from my IDP}. Seems working well but I want to get it via custom policy. I have no idea how to configure by custom policy or even download current user flow with base policy as xml to have a blueprint how to make it.

pzejer avatar Feb 14 '23 16:02 pzejer

@pzejer Thanks for your feedback! We will investigate and update as appropriate.

Naveenommi-MSFT avatar Feb 15 '23 01:02 Naveenommi-MSFT

Hi @pzejer Yes, it is possible to pass an access token from a custom identity provider (IdP) to your app in Azure Active Directory B2C (AD B2C). You can do this by adding the identity provider access token claim to your user flow or custom policy.

For you information Please refer the below in documented link https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/how-to-use-quickstart-idtoken https://learn.microsoft.com/en-us/azure/active-directory-b2c/partner-idemia?pivots=b2c-user-flow

ManoharLakkoju-MSFT avatar Feb 15 '23 08:02 ManoharLakkoju-MSFT

The custom idp token is pass as a claim to client. Is it possible to pass acces_token beside id_token like in regular OAuth response or as a bearer token in authorization header? The idea is that client's app will use OAuth/OpenID dialog without any needs to read claim and pull the access_token from it to use it toward services protected by custom IdP access token. Claims_from_B2C

pzejer avatar Feb 15 '23 15:02 pzejer

HI @pzejer I'd recommend working closer with our support team via an [Azure support request] (https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request) Thank you for your time and patience throughout this issue.

ManoharLakkoju-MSFT avatar Feb 16 '23 06:02 ManoharLakkoju-MSFT