B2C: Angular + Web API Sign Up Flow Results in NO EMAIL claim on Server Side - SignIn works fine

0
votes

All,

I'm using Azure AD B2C with custom IEF policies. Both the SignIn and SignUp Policies return the same claims.

My policy names are named B2C_1A_SignIn, B2C_1A_SignUp

If I'm doing the sign-up flow, the context.User that ends up on the WebAPI side has no email claim. If I'm doing the Sign-In flow, it has the email claim.

I've looked at all of the tokens in SessionStorage on the client side after a sign up and EVERY SINGLE JWT TOKEN there has the email claim in it.

The contents of a JWT token on the client side after sign-up is shown below:

    {
  "exp": 1565283437,
  "nbf": 1565279837,
  "ver": "1.0",
  "iss": "https://**redacted**/654015a2-3419-4a3b-ac9e-84f39d106b2d/v2.0/",
  "sub": "d0d27e7a-1e82-4d77-b80d-e5462bc7ee93",
  "aud": "10896880-da14-4057-827b-886cfb847581",
  "acr": "b2c_1a_signup",
  "nonce": "08f7ed0c-8106-48ad-99f0-5891f2c22a2f",
  "iat": 1565279837,
  "auth_time": 1565279837,
  "given_name": "Michael",
  "family_name": "Gerety",
  "email": "michael@**redacted**",
  "tid": "654015a2-3419-4a3b-ac9e-84f39d106b2d"
}

Below is an instance of a JWT ID token after SignIn flow:

    {
  "exp": 1565284448,
  "nbf": 1565280848,
  "ver": "1.0",
  "iss": "https://*redacted*.b2clogin.com/654015a2-3419-4a3b-ac9e-84f39d106b2d/v2.0/",
  "sub": "d0d27e7a-1e82-4d77-b80d-e5462bc7ee93",
  "aud": "10896880-da14-4057-827b-886cfb847581",
  "acr": "b2c_1a_signin",
  "nonce": "1fd749b2-bdbd-4491-a98e-b42dc5949e40",
  "iat": 1565280848,
  "auth_time": 1565280848,
  "signInName": "michael@*redacted*",
  "given_name": "Michael",
  "family_name": "Gerety",
  "tid": "654015a2-3419-4a3b-ac9e-84f39d106b2d"
}

Interestingly enough, the SignInName seems to come through in the sign-in flow. that claim does not exist in the sign up flow.

On the server side, it's configured as below:

       .AddJwtBearer(jwtOptions =>
       {
           jwtOptions.Authority = $"https://**redacted**.b2clogin.com/{Configuration["B2CTenant"]}/{Configuration["B2CSignInPolicyTest"]}/v2.0";
           jwtOptions.Audience = Configuration["B2CBuilderPortalAPIClientId"];
           jwtOptions.Events = new JwtBearerEvents
           {
               OnMessageReceived = ctx =>
               {
                   if (ctx.Request.Method.Equals("GET") && ctx.Request.Query.ContainsKey("accessToken"))
                       ctx.Token = ctx.Request.Query["accessToken"];
                   return Task.CompletedTask;
               },
               OnAuthenticationFailed = AuthenticationFailed
           };
       });

Any Suggestions?

1
azure-ad-b2c

1 Answers

1
votes

It is because during sign in the claim name is signInName within the OutputClaims of the sign in technical profile, not email like the sign up technical profile. So the email is captured, just held in a different claim name.

You can put this in the relyingParty outputclaims section to map the signInName to a different claim name (email) when issued in the JWT:

<OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email"/>