Get the Azure AD B2C scope in the custom policy

3
votes

I try to create a custom policy and I want to get some claims and send its to my REST API. My API is called with email, givenName, etc... but claims passed by query string like client_id, resource_id and mostly scope are empty.

I found a workaround to get the client_id here : Get the Azure AD B2C Application client id in the custom policy

But I found nothing about the scope.

Here my claims provider for REST API : 

<ClaimsProvider>
    <DisplayName>REST API</DisplayName>
    <TechnicalProfiles>
        <TechnicalProfile Id="AzureFunction-SendClaims">
            <DisplayName>Send Claims</DisplayName>
            <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
            <Metadata>
                <Item Key="ServiceUrl">https://XXXX.azurewebsites.net/api/XXXX</Item>
                <Item Key="AuthenticationType">None</Item>
                <Item Key="SendClaimsIn">Body</Item>
            </Metadata>
            <InputClaims>
                <InputClaim ClaimTypeReferenceId="givenName"/>
                <InputClaim ClaimTypeReferenceId="client_id" PartnerClaimType="clientId" DefaultValue="{OIDC:ClientId}"/>
                <InputClaim ClaimTypeReferenceId="resource_id"/>
                <InputClaim ClaimTypeReferenceId="email"/>
                <InputClaim ClaimTypeReferenceId="otherMails"/>
                <InputClaim ClaimTypeReferenceId="grant_type"/>
                <InputClaim ClaimTypeReferenceId="scope"/>
            </InputClaims>
        </TechnicalProfile>
    </TechnicalProfiles>
</ClaimsProvider>
3
azureazure-ad-b2c

3 Answers

1
votes

The Scope claim has been added to the OpenId connect claims resolver:

<InputClaim ClaimTypeReferenceId="Scope" DefaultValue="{OIDC:Scope}"/>

I have used it and it works but it has not been added to the documentation on OpenID Connect-specific claims

0
votes

I don't think there is a way to get the scopes. You can see a list of claims and properties that are available to access from within the B2C policy here

0
votes

In your custom policy, feel free and safe to send the variables in a plain way. The context of passing a scope is when you're calling a REST API from a user session, so you must request a custom policy token.

You can do it in two ways, by using the MSAL library (I prefer this): https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-api-call-api-acquire-token?tabs=aspnetcore

Or , by calling the custom policy directly and in the string query in the scope section i.e.

scope=openid profile offline_access https://yourtenant.onmicrosoft.com/demoapi/demo.read https://kytos.onmicrosoft.com/demoapi/demo.write

don't forget the html encode scope=openid%20profile%20offline_access%20https%3A%2F....