Claims based authorization token in Azure B2C and .Net Core 2.0

Question

I am building a ASP .Net Core 2.0 app and would like to know how to add the groups claim to my Azure B2C access token on my backend. I use the user's id to query MS Graph to get the user's group claim using ADAL and need the groups on the authorization token every time the user hits a controller. I would rather not query MS Graph every time a controller is hit.

Is it possible to add the groups claim to the B2C token after it is retrieved?

If not, should I store the groups as a Session variable?

If those aren't right, should I craft a second authorization token with the groups and then use that in my header when I send reqeusts?

Answer 1

You can in one of the OpenID Notifications (i.e. OnTokenValidated) and add user's groups(or roles ,but they are different ) to the ClaimsPrincipal. Something like :

options.Events = new OpenIdConnectEvents
{

    OnTokenValidated =  ctx =>
    {
        //query the user's groups using api 

        // add claims
        var claims = new List<Claim>
        {
            new Claim("groups", xxxx-xx-xx)
        };
        var appIdentity = new ClaimsIdentity(claims);

        ctx.Principal.AddIdentity(appIdentity);

        return Task.CompletedTask;
    },   
};

Below links are code sample with .net framework , you can modify to fit the .net core version :

Authorize By Group in Azure Active Directory B2C

Azure AD B2C - Role management

You can support adding group claims to b2c issued tokens by voting for it in the Azure AD B2C feedback forum: Get user membership groups in the claims with Azure AD B2C