If you’re reading this article, chances are you’ve stumbled upon a frustrating issue in Azure AD B2C custom policies – your custom claims are not included in the token after local sign-in. Don’t worry, we’ve got you covered! In this comprehensive guide, we’ll walk you through the steps to resolve this issue and get your custom claims flowing smoothly into your token.
Understanding the Problem
Before we dive into the solution, let’s quickly understand the problem. Azure AD B2C custom policies allow you to customize the user experience and authenticate users using various identity providers. However, when you use local sign-in, Azure AD B2C doesn’t include custom claims in the token by default. This means that your application won’t receive the custom claims you’ve defined, causing issues with user authentication and authorization.
Why Custom Claims Are Essential
Custom claims are essential in Azure AD B2C custom policies because they allow you to pass additional information about the user to your application. This information can include user roles, permissions, or any other relevant data that your application needs to function correctly. Without custom claims, your application won’t have access to this critical information, resulting in errors and inconsistencies.
Step 1: Verify Your Custom Policy
The first step to resolving this issue is to verify that your custom policy is correctly configured. Make sure you’ve defined the custom claims in your policy and have included the necessary technical profiles.
<BuildingBlocks> <ClaimsSchema> <ClaimType Id="custom_claim"> <DisplayName>Custom Claim</DisplayName> <DataType>string</DataType> </ClaimType> </ClaimsSchema> </BuildingBlocks>
In the above example, we’ve defined a custom claim called “custom_claim” with a data type of string.
Step 2: Configure the Token Issuance Technical Profile
The token issuance technical profile is responsible for generating the token that’s sent to your application. To include custom claims in the token, you need to add the necessary output claims to this technical profile.
<TechnicalProfiles> <TechnicalProfile Id="TokenIssuance"> <OutputClaims> <OutputClaim ClaimTypeReferenceId="custom_claim" PartnerClaimType="custom_claim"/> </OutputClaims> </TechnicalProfile> </TechnicalProfiles>
In the above example, we’ve added the custom_claim output claim to the token issuance technical profile. This tells Azure AD B2C to include the custom_claim in the token.
Step 3: Update the User Journey
The user journey defines the authentication flow for your application. To include custom claims in the token, you need to update the user journey to include the necessary orchestration steps.
<UserJourney Id="LocalSignIn"> <OrchestrationSteps> <OrchestrationStep Order="2" Type="ClaimsExchange"> <ClaimsExchanges> <ClaimsExchange Id="CustomClaimExchange" TechnicalProfileReferenceId="CustomClaimTechnicalProfile"/> </ClaimsExchanges> </OrchestrationStep> </OrchestrationSteps> </UserJourney>
In the above example, we’ve added an orchestration step to the user journey that calls the CustomClaimExchange claims exchange. This claims exchange is responsible for retrieving the custom claim and including it in the token.
Step 4: Define the Custom Claim Technical Profile
The custom claim technical profile is responsible for retrieving the custom claim value. You can use a custom claims provider or a claims transformation to retrieve the custom claim value.
<TechnicalProfiles> <TechnicalProfile Id="CustomClaimTechnicalProfile"> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> <InputTokenFormat>JWT</InputTokenFormat> <OutputTokenFormat>JWT</OutputTokenFormat> <CryptographicKeys> <Key Id="issuer_secret" StorageReferenceId="B2C_1A_IssuerSecret"/> </CryptographicKeys> <UseTechnicalProfileForSessionManagement>true</UseTechnicalProfileForSessionManagement> <ClaimType>custom_claim</ClaimType> </TechnicalProfile> </TechnicalProfiles>
In the above example, we’ve defined a custom claim technical profile that uses a RESTful provider to retrieve the custom claim value. You can customize this technical profile to fit your specific needs.
Step 5: Test Your Custom Policy
Now that you’ve updated your custom policy, it’s time to test it. Use the Azure AD B2C token debugger to test your policy and verify that the custom claim is included in the token.
Tool | Description |
---|---|
Azure AD B2C Token Debugger | A tool that allows you to test and debug your Azure AD B2C custom policies. |
In the Azure AD B2C token debugger, enter your policy ID and run the debugger. This will generate a token that includes the custom claim. Verify that the custom claim is present in the token by checking the token contents.
Conclusion
In conclusion, including custom claims in the token after local sign-in in Azure AD B2C custom policies requires careful configuration and planning. By following the steps outlined in this guide, you can ensure that your custom claims are included in the token and available to your application. Remember to verify your custom policy, configure the token issuance technical profile, update the user journey, define the custom claim technical profile, and test your custom policy using the Azure AD B2C token debugger. With these steps, you’ll be well on your way to resolving the issue of custom claims not being included in the token after local sign-in in Azure AD B2C custom policies.
Common Issues and Solutions
In this section, we’ll cover some common issues and solutions related to custom claims not being included in the token after local sign-in in Azure AD B2C custom policies.
Issue 1: Custom Claim Not Defined
Solution: Verify that the custom claim is defined in the BuildingBlocks section of your custom policy.
<BuildingBlocks> <ClaimsSchema> <ClaimType Id="custom_claim"> <DisplayName>Custom Claim</DisplayName> <DataType>string</DataType> </ClaimType> </ClaimsSchema> </BuildingBlocks>
Issue 2: Token Issuance Technical Profile Not Configured
Solution: Verify that the token issuance technical profile is configured to include the custom claim as an output claim.
<TechnicalProfiles> <TechnicalProfile Id="TokenIssuance"> <OutputClaims> <OutputClaim ClaimTypeReferenceId="custom_claim" PartnerClaimType="custom_claim"/> </OutputClaims> </TechnicalProfile> </TechnicalProfiles>
Issue 3: User Journey Not Updated
Solution: Verify that the user journey is updated to include the necessary orchestration steps to retrieve the custom claim.
<UserJourney Id="LocalSignIn"> <OrchestrationSteps> <OrchestrationStep Order="2" Type="ClaimsExchange"> <ClaimsExchanges> <ClaimsExchange Id="CustomClaimExchange" TechnicalProfileReferenceId="CustomClaimTechnicalProfile"/> </ClaimsExchanges> </OrchestrationStep> </OrchestrationSteps> </UserJourney>
By following these steps and troubleshooting common issues, you should be able to resolve the issue of custom claims not being included in the token after local sign-in in Azure AD B2C custom policies.
Frequently Asked Question
Get the answers to your burning questions about custom claims not included in token after local sign-in in Azure AD B2C custom policies!
Why are custom claims not included in the token after local sign-in in Azure AD B2C custom policies?
Custom claims are not included in the token by default after local sign-in in Azure AD B2C custom policies because the token is issued by the Azure AD B2C identity provider, and it only includes the claims that are configured in the token issuance policy. To include custom claims, you need to configure the token issuance policy to include the custom claim.
How do I configure the token issuance policy to include custom claims in Azure AD B2C custom policies?
To configure the token issuance policy to include custom claims, you need to add an output claim to the token issuance technical profile in your Azure AD B2C custom policy. The output claim should reference the custom claim that you want to include in the token. You can do this by adding a new `` element to the `` element in your policy file.
What is the difference between a custom claim and a built-in claim in Azure AD B2C custom policies?
A custom claim is a claim that is not part of the standard set of claims supported by Azure AD B2C, whereas a built-in claim is a claim that is part of the standard set of claims supported by Azure AD B2C. Custom claims are typically used to store application-specific data, while built-in claims are used to store standard user data such as name, email, and phone number.
How do I troubleshoot issues with custom claims not being included in the token in Azure AD B2C custom policies?
To troubleshoot issues with custom claims not being included in the token, you can use the Azure AD B2C debug log to identify the issue. The debug log provides detailed information about the claim resolution process and can help you identify why the custom claim is not being included in the token. You can also use tools such as Fiddler to inspect the HTTP traffic and verify that the custom claim is being sent in the request.
Can I use custom claims to store sensitive data in Azure AD B2C custom policies?
No, it’s not recommended to use custom claims to store sensitive data in Azure AD B2C custom policies. Custom claims are stored in the token and can be accessed by anyone who has access to the token. Instead, you should use secure storage mechanisms such as Azure Key Vault or Azure Blob Storage to store sensitive data.