3

We are using Azure AD B2C with our application. We authorize user using the API

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?client_id=<client-id-uuid>
&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Findex.html
&scope=openid%20offline_access%20https%3A%2F%2F{tenant}.onmicrosoft.com%2F<client-id-uuid>%2FUser.all
&response_type=code&prompt=login

using above we fetch the authorization_code.

This auth code is being used to authenticate the user with the application and fetch the access_token , refresh_token and id_token using

POST /{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token HTTP/1.1
Host: {tenant}.b2clogin.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=authorization_code&code={auth code received in previous step}
&scope=openid%20offline_access%20https%3A%2F%2F{tenant}.onmicrosoft.com%2F<client-id-uuid>%2FUser.all
&client_id={client id}&redirect_uri=localhost%253A4200%252Flogin.html%3A

after authentication the code is used for accessing various endpoints and azure functions. In hte process we need user attributes like email, display_name, country, etc information that user had input while singing up. Along with default attributes we have some custom attributes like team_name which is specific to our Web application use case. These attributes change over time.

For eg: person may switch team. thus we modify that in the user attribute using Graph APIs. so in that case if attribute team_name = 'Team ABC' now changes to team_name = 'Team XYZ'

But after the attributes are changed, the attributes do not reflect the new values in the access_token / refresh_token or id_token. Is there a way we can get the refreshed values in the tokens without re authorizing the user?

currently we fetch the user attributes from the Graph APIs but its faster and more convenient if we get refreshed values in the token.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
Anshul Jain
  • 103
  • 6
  • Did you get a chance to look at this similar SO [question](https://stackoverflow.com/questions/60016498/azure-ad-b2c-how-to-propogate-new-user-claims-to-the-access-token) and let us know if it helps – Raghavendra beldona Aug 14 '20 at 16:46
  • @Raghavendra-MSFTIdentity yes it's exaclty same issue. The claims are not refreshed without asking user to logout/login. I have custom claims which are updated post signup/login. I would want them to be updated in my access token as well – Anshul Jain Aug 15 '20 at 10:49
  • Thanks for leting us know. Let me check and get back to you – Raghavendra beldona Aug 20 '20 at 07:35
  • @Raghavendrabeldona may I know if this issue is resolved yet? – nullmicgo Jul 17 '23 at 22:56

3 Answers3

2

Custom policy doesn't have a mechanism publicly documented to get new access token claims in refresh token flow. So what You have observe is expected

Raghavendra beldona
  • 1,937
  • 1
  • 4
  • 9
  • @raghvendra thanks. I want the latest values as I mentioned in the original question. It seems currently its not supported and the values are refreshed only after logout. – Anshul Jain Aug 24 '20 at 10:16
  • Claims values in the access token do not refresh after expiry. They are only refreshed I logout and fetch fresh auth code – Anshul Jain Aug 24 '20 at 10:17
  • Hi @AnshulJain I have verified and updated my answer accordingly. Please let us know if it helps – Raghavendra beldona Sep 29 '20 at 13:35
  • Is there any plans to support this? Is there a uservoice for the idea? – tank104 Nov 25 '20 at 19:14
  • 1
    Hi @tank104 its seems it is on roadmap currently we can't provide the timeline. I hope in one of the another [SO question](https://stackoverflow.com/questions/60016498/azure-ad-b2c-how-to-propogate-new-user-claims-to-the-access-token) cleared your queries. Plans for the roadmap is also mentioned in the 2nd comment by Jas there. Thank you – Raghavendra beldona Nov 30 '20 at 17:40
1

As a somewhat workaround, we have found out that when refreshing the authentication via SSO cookie ("Web app session" in Azure B2C configuration portal), the claims are refreshed.

I think this basically amounts to "re-logging-in" but without a user-visible prompt. We are using the msal-browser library to do SSO login automatically for us (it uses a hidden iframe for that), but I think you could also do the same by hand.

You need to call the /authorize endpoint with all the usual query parameters, and also:

  • prompt=none must be set
  • one of sid (with account-id) or login_hint (with the username) must be set

Haven't done it myself manually, so I might still be missing something, but I think these should be the major things.

jhyot
  • 3,733
  • 1
  • 27
  • 44
  • is that mean we need to help the user log in again behind the scene? so that we could get the updated claims in the token. – nullmicgo Jul 17 '23 at 22:58
  • @nullmicgo Yes as far as I know this is the case, and we are still employing this technique in our application. It might be that with newer versions of user flows or custom policies this is not necessary anymore, but I don't know. – jhyot Jul 18 '23 at 14:36
0

If anyone is attempting this with MSAL js Angular, I was able to accomplish this with the ssoSilent method as referenced by this github issue: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/3639#issuecomment-847430498

I added a refreshUserClaims fn in my authService like so:

refreshUserClaims() {
  let s: SilentRequest = {
    prompt: 'none',
    scopes: scopes,
    forceRefresh: true,
  };
  this.msalService
    .ssoSilent(s)
    .pipe(
      take(1),
      catchError((err) => {
        // log out here as a method gracefully failing.
        return this.msalService.logout();
      })
    )
    .subscribe({
      next: () => {
        // fn that adds the newly refreshed claims to my app data.
        this.setUserLoggedIn();
      },
    });
}
mcheah
  • 1,209
  • 11
  • 28