19

What are ways to include custom claims (user subscriptions or roles list as example) in a token before issuing it in Azure AD B2C, provided that claims are stored somewhere on own server (not available in B2C)? Goal to have claims in the token to avoid additional round trip to the storage on every request.

Investigation on the topic brought me to following ways:

  1. Add custom attribute via Graph API, configure to include in JWT. Attribute values should be kept in sync with our datastorage.

  2. Custom Sign-In Policy like in this article https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom but if I got it right, additional Step 6 is a user journey to publicly available API in non restricted way (request not secured by secret, might be used to get user claims by presented UserId)?

  3. IdentityServer4 Federation gateway http://docs.identityserver.io/en/release/topics/federation_gateway.html that will allow to add any claims before issuing.

st1
  • 661
  • 1
  • 6
  • 12
  • **Yes**, you can add claims into the Azure AD B2C token with any of the ways you outlined. Is there some other underlying question here? – Saca Aug 31 '17 at 23:39
  • @Saca thank you for your response. I was interested is there other, maybe standard way or preferred way to add custom claims in issued token that I didn't notice? Option 2 looks as a good straightforward way, but here I'm worried is the call to /api/LookUpLoyaltyWebHook?code=MQu...w== in step 6 is b2c to api (server to server) or client (browser) to api? – st1 Sep 01 '17 at 08:45
  • 1
    That call is made by the Azure AD B2C service, **not** by the user's browser, so server-to-server. Your Azure function code won't be leaked to the end user. – Saca Sep 10 '17 at 20:36
  • Hi @st1 & @saca Could you please help me in adding claims like `groups` into ADB2C Token. I have tried the second step but seems like it is not working for me. Any help in this regard would be really appreciable. – Saurabh Srivastava Jul 17 '19 at 08:27

1 Answers1

27

The first two mechanisms you outlined are the most common and recommended ways to include custom claims in an Azure AD B2C issued token:

  1. Add a custom attribute and include it in the JWT. You can enable the custom attribute via the B2C UI or via the Graph API. You'd need to build your own mechanism to keep the value of this attribute in B2C in sync with your external source via the Graph API.

  2. You can use a custom policy to add a step in your authentication flow to call a Rest API to obtain the claim and include it in the token. This call to the Rest API will be performed by the Azure AD B2C service and NOT the user's browser, so it'll be a service-to-service call (versus a client-to-service call), keeping any secrets you use for authentication with your Rest API safe (such as a Azure function code).

Saca
  • 10,355
  • 1
  • 34
  • 47
  • 3
    As I understand if I want to go with option 1, I have to include this custom attributed to one of the user flows? I have a pretty similar case as the author of this thread, but I do not want to expose custom attributes in Sign-In and Sign-Up pages. I'd like to have custom fields managed by another service (I already did it with Graph API) and I want to include it into JWT token. – Anuar Nurmakanov Aug 06 '20 at 09:18