How to get claims from OpenID Connect provider in Azure AD B2C

2
votes

I am having some issues getting claims from an OpenID Connect provider with an Azure AD B2C custom policy.

My OIDC provider does not return any claims in the id_token, it has a separate endpoint for claims called userInfo_endpoint where you send a GET request with Bearer authentication and the access_token go get user claims in json format. I understand this is pretty standard OIDC functionality.

Most examples I see use the ClaimsEndpoint to get claims and it seems to me the claims are added to the user as part of the signin_signup user journey.

Everything up to this point works as expected, testClaim is returned from b2c as part of the id_token, but no other claims are set. I have Application Insights set up for the policy, but the endpoint /userinfo is never called by B2C, and I see no trace of it in the logs. Are OIDC /userinfo endpoints even supported?

Below is my claims provider section.

<ClaimsProvider>
  <DisplayName>Provider</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="provider-oidc">
      <DisplayName>Providerprofile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputTokenFormat>JWT</OutputTokenFormat>
      <Metadata>
        <Item Key="client_id">preprod-provider</Item>
        <Item Key="scope">openid profile</Item>
        <Item Key="response_types">code</Item>
        <Item Key="METADATA">https://preprod.provider.com/oidc/.well-known/openid-configuration</Item>
        <Item Key="ProviderName">https://preprod.provider.com/oidc</Item>

        <Item Key="state">123abc</Item>
        <Item Key="HttpBinding">POST</Item>

        <Item Key="UsePolicyInRedirectUri">true</Item>
        <Item Key="authorization_endpoint">https://preprod.provider.com/oidc/authorize</Item>
        <Item Key="token_endpoint">https://preprod.provider.com/oidc/token</Item>
        <Item Key="ClaimsEndpoint">https://preprod.provider.com/oidc/userinfo</Item>
        <Item Key="ClaimsEndpointAccessTokenName">oauth2_access_token</Item>
        <Item Key="ClaimsResponseFormat">json</Item>

        <!--Item Key="userinfo_endpoint">https://preprod.provider.com/oidc/userinfo</Item-->
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_ProviderClientSecret" />
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="providerAuthentication" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="provider" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
        <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
        <OutputClaim ClaimTypeReferenceId="testClaim" DefaultValue="testValue" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
      </OutputClaimsTransformations>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>
3
azure-ad-b2c

3 Answers

1
votes

Azure AD B2C does not support the userinfo_endpoint. You can request this feature in the Azure AD B2C feedback forum.

There are two workarounds for this:

  • At the application level - add code that, after obtaining the id_token, calls out to this userinfo_endpoint to obtain those extra claims and add them to the token for the rest of the application to leverage
  • At the B2C custom policy level - add a callout to a Rest API to retrieve the extra claims and add them in the token. Note that you won't be able to call the userinfo_endpoint, rather you'll need to write an in-between service that transforms the call REST call from B2C (which doesn't yet support sending an Authorization: Bearer X header) into a call to your userinfo_endpoint or to the underlying user store with the extra claims.
0
votes

While the OpenIdConnect Technical Profile doesn't seem to support a userinfo endpoint, you should be able to use the OAuth2 Technical Profile together with the ClaimsEndpoint to get claims from the userinfo endpoint

0
votes

The user_info endpoint is now supported in ADB2C. Please see https://docs.microsoft.com/en-us/azure/active-directory-b2c/userinfo-endpoint?pivots=b2c-custom-policy for more information.