Azure AD B2C custom policy - send query string parameter to 3rd party

0
votes

I am working on a B2C case that involves integration with a 3rd party identity provider using OpenIdConnect.

This third party expects a specific query string parameter to be sent one or more times:

example.com/oidc/authorize=?...&login_hint=ABCvalue&login_hint=XYZvalue

I have an OpenIdConnect Technical Profile with the required input claims:

<TechnicalProfile Id="Example-Swe">
  <DisplayName>Example Sverige</DisplayName>
  <Description>Login with Example</Description>
  <Protocol Name="OpenIdConnect"/>
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <Metadata>
    <Item Key="client_id">preprod.Example</Item>
    <Item Key="METADATA">https://example.com/oidc/.well-known/openid-configuration</Item>
    <Item Key="response_types">code</Item>
    <Item Key="scope">openid phone profile example.national_id offline_access</Item>
    <Item Key="response_mode">query</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="client_secret" StorageReferenceId="B2C_1A_ExampleSecretNO1"/>
  </CryptographicKeys>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="acr_values" DefaultValue="urn:example:oidc:method:sbid"/>
    <InputClaim ClaimTypeReferenceId="example_profile" DefaultValue="example-id" />
    <InputClaim ClaimTypeReferenceId="ui_locales" DefaultValue="sv" />
    <InputClaim ClaimTypeReferenceId="claimABC" PartnerClaimType="login_hint" />
    <InputClaim ClaimTypeReferenceId="claimXYZ" PartnerClaimType="login_hint" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="access_token" PartnerClaimType="{oauth2:access_token}" />
    <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="SigBidSwe" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="Example-BID-Swe" />
    <OutputClaim ClaimTypeReferenceId="countryCode" DefaultValue="SE" AlwaysUseDefaultValue="true" />

  </OutputClaims>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD"/>
</TechnicalProfile>

but having two claim with the same PartnerClaimType does not work. B2C throws an Exception.

Is it possible to achieve this somehow?

1
azure-active-directoryazure-ad-b2cazure-ad-b2c-custom-policy
this is a bit unusual for a query string to be repeated. May be third party can change its implementation? - Abhishek Agrawal
@AbhishekAgrawal it would be ideal but they are not very keen on that. - VRPF
Obviously, B2C does not support duplicate parameters. Could you define it yourself? - Pamela Peng

1 Answers

0
votes

Can't be done today with Azure B2C custom policies and also the third party is not following the spec.

Duplicate query parameters violates the OAUTH specification

  1. Parameters

OAuth Protocol Parameter names and values are case sensitive. Each OAuth Protocol Parameters MUST NOT appear more than once per request, and are REQUIRED unless otherwise noted.

https://oauth.net/core/1.0a/