How do I get the bearer token claims that azure b2c promises?

1
votes

Background

I have two applications registered in azure, one is a web-based client and the other is a web-based service. The setup is similar to the example found here: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi

The user logs in to the client via azure b2c, and then the client queries against the service, authenticated via azure b2c, to obtain its data.

The Problem

The service is not receiving the expected claims in the bearer token.

Specifics

Azure B2C says that the claims you select for a given policy will be included in "a token", which I assumed would be the bearer token. Below is a screencapture of some of the claims I have selected. claims for my signup-or-signin policy

However, on the service when I extract the claims from the bearer token, I get none of the promised claims. Instead, I get the claims shown below. actual claims received

I am using UseOAuthBearerAuthentication identical to the example provided by microsoft on github (linked above).

Am I missing something? How do I get the claims that b2c promises?

1
azureasp.net-web-apiazure-ad-b2c

1 Answers

3
votes

Application Claims are included in the id_token, not the access_token (aka bearer token).

This means that the Select application claims will allow your client application (native app or web app) to access these custom claims.

If you want to access custom claims from your back-end service, you'll need to call the Azure AD Graph using the client credentials flow and call the user endpoint like so:

https://graph.windows.net/<yourtenant.onmicrosoft.com>/users/<userId>

And retrieve the property with the following format:

extension_<b2c-extensions-app_appId>_<customAttributeName>

For example:

extension_e5bf5a2db0c9415cb62661a70d8f0a68_MyCustomAttribute

You can obtain the id of your B2C tenant's b2c-extensions-app via the Graph as well:

https://graph.windows.net/<yourtenant.onmicrosoft.com>/applications?$filter=displayName eq 'b2c-extensions-app'

See this post for more info: Moving Azure AD B2C custom user attributes across new environments