0

I am trying to use claim resolver to capture query string param and use it as claim in access token: https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview#oauth2-key-value-parameters

By doing everything according to documentation, I'm able to get the value passed to authorize endpoint in query string, but only in the ID Token. Later when I call token endpoint for access token, the same claim resolver doesn't work, even if I include custom param in query string for token endpoint.

Is there any way to make it work for access token or the claim resolvers are working for ID tokens only?

Thanks!

marcin93w
  • 402
  • 6
  • 13
  • Are you using implicit flow? – Jas Suri - MSFT Dec 25 '22 at 01:15
  • No, I'm using code flow, would it work in implicit flow? – marcin93w Dec 26 '22 at 07:57
  • 1
    I ask because the access token should always match the claims of the id token, unless you use implicit (where there are some exceptions). Maybe you are passing a different query param value in /token call compared to /authorize and want that to reflect in the new access token? – Jas Suri - MSFT Dec 29 '22 at 10:18
  • You're right! Claims in access token always have values from params passed to the /authorize. Whatever I pass to /token endpoint is ignored, which is fine for me, I can just call /authorize again every time I want to change the claim value and leave /token without any params. What confused me in my investigation was MSAL.js library, because it caches access tokens. So when I was calling /authorize again with new param value, access token stayed in cache with claims values from initial /authorize call. Thanks for your help! – marcin93w Dec 29 '22 at 11:42

1 Answers1

0

scenario :capture query string parameters using a Claims Resolver.

If you have captured ?queryname=queryvalue as the query string parameter, that could be resolved via the {OAUTH-KV:queryname } claims resolver.

In your 's output claims, you could then refer to a claim and the value like this:

<OutputClaim ClaimTypeReferenceId="customClaimId" AlwaysUseDefaultValue="true" DefaultValue="{OAUTH-KV:queryname }" />

You would just need a Claim definition for customClaimId.

<UserJourneyBehaviors>
      <ContentDefinitionParameters>
        <Parameter Name="Value">{OAUTH-KV:queryname }</Parameter>
      </ContentDefinitionParameters>
      <ScriptExecution>Allow</ScriptExecution>
 </UserJourneyBehaviors>

Or you can send the hard coded values to the query string parameter

  <RelyingParty>
        <DefaultUserJourney ReferenceId="MyUserJourney" />
        <UserJourneyBehaviors>
            <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="{Settings:AppInsightsKey}" DeveloperMode="true" ClientEnabled="true" ServerEnabled="true" TelemetryVersion="1.0.0" />
            <ScriptExecution>Allow</ScriptExecution>
        </UserJourneyBehaviors>
        <TechnicalProfile Id="PolicyProfile">
                    …
            <OutputClaims>
                <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" AlwaysUseDefaultValue="true" DefaultValue="4545xxxx" />
                <OutputClaim ClaimTypeReferenceId="value" DefaultValue="{OAUTH-KV:queryvaluevalue}" AlwaysUseDefaultValue="true" />
            </OutputClaims>
            <SubjectNamingInfo ClaimType="sub" />
        </TechnicalProfile>
    </RelyingParty>

And then call the token endpoint like below as said by @JasSuri in azure ad b2c - AzureB2C - Client credentials and query parameters in a custom policy - Stack Overflow

https://{tenant name}.b2clogin.com/{tenantname}.onmicrosoft.com/B2C_1A_/oauth2/v2.0/token?grant_type=client_credentials&client_id=&client_secret=<client_secret>&scope=https://{tenant}.onmicrosoft.com/api/.default&value=somefoo

Also check this oauth 2.0 - Azure B2C - Accept query params into OAuth2 JWT - Stack Overflow

kavyaS
  • 8,026
  • 1
  • 7
  • 19