Resource owner password credentials flow - modify claims

1
votes

The resource owner password credentials flow is now available in preview for Azure B2C:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc

However, I would like to tinker with the claims (specifically: get the username as "email" claim). I tried just calling my existing custom policies in IEF with the flow from the documentation, but they did not like that (unsuprisingly)

AADB2C: An exception has occurred.

Is there a way to influence the claims in this flow?

Update When implementing Chris' answer I got this error:

Unable to upload policy. Reason : Validation failed: 1 validation error(s) found in policy "B2C_1A_ROPC" of tenant "xxx.onmicrosoft.com".Claim type "email" is the output claim of the relying party's technical profile, but it is not an output claim in any of the steps of user journey "SignIn-ROPC".

I posted an experimental solution as a separate answer.

2
azureazure-ad-b2cidentity-experience-framework

2 Answers

2
votes

You have to implement the ROPC flow in a custom policy in order to issue the "email" claim in the ID token.

To implement the ROPC flow in a custom policy:

1: Add the DefaultValue attribute to each of the "signInName" and "password" <InputClaim /> elements in the login-NonInteractive technical profile:

<TechnicalProfile Id="login-NonInteractive">
  <DisplayName>Local Account SignIn</DisplayName>
  <Protocol Name="OpenIdConnect" />
  ...
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" DefaultValue="{OIDC:Username}" />
    <InputClaim ClaimTypeReferenceId="password" Required="true" DefaultValue="{OIDC:Password}" />
    ...
  </InputClaims>
  ...
</TechnicalProfile>

2: Create a "ROPC" user journey:

<UserJourney Id="SignIn-ROPC">
  <PreserveOriginalAssertion>false</PreserveOriginalAssertion>
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="LoginNonInteractiveExchange" TechnicalProfileReferenceId="login-NonInteractive" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
</UserJourney>

3: Create a "ROPC" relying party technical profile:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignIn-ROPC" />
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
      <OutputClaim ClaimTypeReferenceId="email" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
  </TechnicalProfile>
</RelyingParty>
2
votes

This is the full policy I got to work using Chris' helpful answer. I would consider it experimental since I don't understand the claims flow fully, but it works pretty well.

<ClaimsProviders>
    <ClaimsProvider>
        <DisplayName>Override some profiles</DisplayName>
        <TechnicalProfiles>
            <TechnicalProfile Id="login-NonInteractive">
                <DisplayName>Local Account SignIn</DisplayName>
                <Protocol Name="OpenIdConnect" />
                <InputClaims>
                    <InputClaim ClaimTypeReferenceId="signInName" 
                        PartnerClaimType="username" 
                        Required="true" 
                        DefaultValue="{OIDC:Username}" />
                    <InputClaim ClaimTypeReferenceId="password" 
                        Required="true" 
                        DefaultValue="{OIDC:Password}" />
                </InputClaims>
            </TechnicalProfile>
            <TechnicalProfile Id="AAD-UserReadUsingObjectId">
                <OutputClaims>
                    <!-- This user journey does not have any other step that provides this -->
                    <OutputClaim ClaimTypeReferenceId="signInName" />
                </OutputClaims>
            </TechnicalProfile>
        </TechnicalProfiles>
    </ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
    <UserJourney Id="SignIn-ROPC">
        <PreserveOriginalAssertion>false</PreserveOriginalAssertion>
        <OrchestrationSteps>
            <OrchestrationStep Order="1" 
                Type="ClaimsExchange">
                <ClaimsExchanges>
                    <ClaimsExchange Id="LoginNonInteractiveExchange" 
                        TechnicalProfileReferenceId="login-NonInteractive" />
                </ClaimsExchanges>
            </OrchestrationStep>
            <OrchestrationStep Order="2" 
                Type="ClaimsExchange">
                <ClaimsExchanges>
                    <ClaimsExchange Id="AADUserReadWithObjectId" 
                        TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
                </ClaimsExchanges>
            </OrchestrationStep>
            <OrchestrationStep Order="3" 
                Type="SendClaims" 
                CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
        </OrchestrationSteps>
    </UserJourney>
</UserJourneys>
<RelyingParty>
    <DefaultUserJourney ReferenceId="SignIn-ROPC" />
    <TechnicalProfile Id="PolicyProfile">
        <DisplayName>PolicyProfile</DisplayName>
        <Protocol Name="OpenIdConnect" />
        <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="objectId" 
                PartnerClaimType="sub"/>
            <!-- This works for accounts that were created via the azure portal -->
            <OutputClaim ClaimTypeReferenceId="signInName" 
                PartnerClaimType="email" />
            <!-- This works for accounts that signed up themselves -->
            <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" 
                PartnerClaimType="email" />
        </OutputClaims>
        <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
</RelyingParty>