5
votes

I have successfully created an AAD B2C custom policy which makes a call to my application.

Similar to what can be found here:

Integrate REST API claims exchanges in your Azure AD B2C user journey as validation on user input

and here:

Secure your RESTful services using client certificates

<ClaimsProvider>
    <DisplayName>XYZ API</DisplayName>
    <TechnicalProfiles>
        <TechnicalProfile Id="XYZ">
            <DisplayName>XYZ</DisplayName>
            <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
            <Metadata>
                <Item Key="ServiceUrl">https://example.com/api/1.0/Users</Item>
                <Item Key="AuthenticationType">ClientCertificate</Item>
                <Item Key="SendClaimsIn">Body</Item>
            </Metadata>
            <CryptographicKeys>
              <Key Id="ClientCertificate" StorageReferenceId="B2C_1A_XYZRestClientCertificate" />
            </CryptographicKeys>
            <InputClaims>
                <InputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
                <InputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
                <InputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName" />
                <InputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId" />
                <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
                <InputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="otherMails" />
            </InputClaims>
            <OutputClaims>
            </OutputClaims>
            <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>
    </TechnicalProfiles>
</ClaimsProvider>

Our app likes to use custom HTTP headers to track some information about the caller, such as a transaction id. Is it possible to add HTTP headers similar to claims? Something maybe like:

<InputHeaders>
    <InputHeader ClaimTypeReferenceId="objectId" HeaderName="transactionId" />
    <InputHeader Value="AzureB2C" HeaderName="callerName" />
</InputHeaders>
1
The ability to send a custom HTTP header would also be useful to send a User-Agent header in order to avoid being rejected by the Web Application Firewall (WAF) rule that requires a User-Agent header.Toby Artisan

1 Answers

2
votes

Right now, it is not possible to split some claims between various places (e.g. body, headers, query string). I suggest you add a request for this feature at the Azure feedback portal for Azure Active Directory.