1

In my application I have the following scenario:

Users first register in the application Using SignUp-SignIn user flow, so at that point the user is created in Azure AD B2C. Then when the users starts to use the application I want to add some information to the user and retrieve it in the token during the next authorizations.

The information I want to add to the user is the following:

1- Identifier I use in my database to store data related to that created user

2- Some application role (e.g. customer, shop owner...) - here, it would be great if I can prevent users to make requests based on that role, but not a big deal to check it in the code after the request is executed

The idea I have is to use Graph API and assign this data in a custom attribute to the users, so this data is always managed by the API and user can't change it himself.

Then I am thinking if mixing that approach with groups could be also and option so some requests will be only available for users that belong to some group.

What is the best approach to achieve my requirements?

Roesmi
  • 466
  • 5
  • 15

1 Answers1

1

Out-of-the-box AAD B2C SignUp-SignIn user flow does not expose any functionality related to Security Groups.

If you want to use group claims in B2C, choose to add some custom code through custom (IEF) policies. See this answer and this post.

In order to achieve your requirements, you could use custom attribute which you have mentioned.

Please note that if you don't want the user to set the custom attribute by themselves, you don't need to do this 3rd step under "Use a custom attribute in your user flow":

  1. Select User attributes and then select the custom attribute (for example, "ShoeSize"). Click Save.

After you create the custom attribute, you can Get the application properties and Using custom attribute with MS Graph API.

Update the custom attribute for a user with Microsoft Graph:

PATCH https://graph.microsoft.com/v1.0/users/userID

{"extension_831374b3bd5041bfaa54263ec9e050fc_ShoeSize": "123"}

Then you can get the custom attribute claim in token like this: "extension_ShoeSize": "123".

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • There is actually a big limitation here, if I skip the step number 3 that you mention, I can set/get the custom attribute value using GraphApi but I can't get in the token if it's not in the user sign up – Roesmi Feb 04 '21 at 11:25
  • @Roesmi I have replied in your new post. – Allen Wu Feb 05 '21 at 05:22
  • Thanks @Aleen Wu, your answer is correct, it is working properly. Thanks – Roesmi Feb 05 '21 at 14:39