AAD B2C - Missing upn claim in access token

1
votes

I have an Angular Application which is authenticated using AAD B2C. This talks to a .Net Core API using an access token.

My problem is that I am not receiving a User Principal Name (upn) in my access token.

I have been adding additional "Application claims" like "Given name" and "Surname" and these appear in my access token just fine! Therefore, I believe that my scopes (openid, profile, email) are set correctly and that this in theory is working.

I believe since I am using version 1.0 of the token, that I do not need to configure an any additional claims in my application manifest. My user is a standard AD user not a guest.

The following document states that the upn claim should be included in the v1.0 tokens: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

What am I doing wrong?!

Decoded Access Token:

{
  "iss": "https://(my-tenant-name).b2clogin.com/(guid)/v2.0/",
  "exp": (number),
  "nbf": (number),
  "aud": "(guid)",
  "oid": "(guid)",
  "sub": "(guid)",
  "name": "My Name",
  "given_name": "Given name",
  "family_name": "Surname",
  "country": "Norge",
  "tfp": "B2C_1_signupsignin2",
  "nonce": "(guid)",
  "scp": "basic",
  "azp": "(guid)",
  "ver": "1.0",
  "iat": (number)
}
3
azureazure-ad-b2cmsal
You aren’t doing anything wrong. UPN is not returned in AAD B2C tokens because it is an irrelevant random string that is set. Rather AAD B2Cs unique name is stored in signInNames attribute, and returned in your token as email or username. The doc you linked is for AAD, and irrelevant to AAD B2C. These are two seperate token issuer services. Select in your User Flow Application Claims to return “email addresses”. docs.microsoft.com/en-us/azure/active-directory-b2c/… - Jas Suri - MSFT
Thank you for the clarification. This works and gets me what I needed. I tested this further by signing up a new user. Since I capture the email address as part of the signup workflow, then the "emails" is always populated in the token. Another user suggests configuring a custom policy, but since the UPN will be an irrelevant random string I will not pursue this option. If you convert this to an answer I will accept it. - Røye

3 Answers

2
votes

UPN is not returned in AAD B2C tokens because it is an irrelevant random string that is set.

Rather AAD B2Cs unique name is stored in signInNames attribute, and returned in your token as email or username.

The doc you linked is for AAD, and irrelevant to AAD B2C. These are two seperate token issuer services. Select in your User Flow Application Claims to return “email addresses”.

https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#email-address-storage

1
votes

At this time, apps that support both personal accounts and Azure AD (registered through the app registration portal) cannot use optional claims. However, apps registered for just Azure AD using the v2.0 endpoint can get the optional claims they requested in the manifest.

To achieve UPN Claim in the token, use B2C Custom Policy. Refer this link for the starter pack: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack

Add below claim to the TechnicalProfile AAD-UserReadUsingObjectId and in the Relying Party Policy (Eg: SignUpOrSignin.xml):

<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
0
votes

As per the code you have provided we observed you are using v2 endpoint( "iss": "https://(my-tenant-name).b2clogin.com/(guid)/v2.0/") As per the document if you see iss:If the token was issued by the v2.0 endpoint, the URI will end in /v2.0.

In the V2 endpoint you need to make a request explicitly for UPN claim.

In v1.0 endpoint they are returned by default but v2.0 made smaller tokens so they made it optional.

Please go through the following links for more understanding. https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims How to add optional claims in application manifest https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest