This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 79%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
I’m working on an application which can read files of a given OneDrive account.
We use Azure AD B2C as the identity provider. Users can login to the application using their Microsoft account. For that we have enabled Microsoft as an Identity Provider in my AAD B2C tenant.
When a given user is login using their Microsoft account, application should be able to get both access_token and refresh_token which enables us to communicate with MS Graph API, in order to fetch file details.
Using custom policies we were able to fetch access_token. However, we cannot fetch the refresh_token.
This is how ClaimsSchema is defined in TrustFrameworkExtensions.xml :
Also in the same file, under the TechnicalProfile of Microsoft login, following OutputClaims node is added (some child nodes are removed for clarity):
Then under the relevant RelyingParty node following OutputClaims node is added (some child nodes are removed for clarity):
According to documentation there is no claim resolver for refresh_token.
Any suggestion to get this work?
Hello @SampathDilhan-7447
To get both Access and Refresh tokens, you would need to federate MSA IDP via OAuth with B2C. As of now, for OIDC IDPs only Access Token is passed through.
Please refer to below Technical Profile to add MSA IDP using OAuth:
This will return both Access and Refresh tokens, as highlighted below:
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thank you very much for the excellent answer @AmanpreetSingh-MSFT ! This worked for me with very minor modifications.
Cheers!
@SampathDilhan-7447 Thank you for the confirmation. I don't see the semicolons while trying to edit the answer, may be it's an issue with the platform. I have older version of Starter Pack in my lab which is why socialIdpUserId worked for me. In the newer starter packs, socialIdpUserId is replaced with issuerUserId.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 25%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
What do the PartnerClaim types reference here, the access_token claims, the id_token claims or somethign third?
When I put the PartnerClaim type to be tid (this is contained in both the access_token and the id_token) I do not get a value, however referencing givenName I get a value even though displayName is not a claim in neither the access_token nor the id_token.
Where is this documented?
I have found the relevant Microsoft documentation, there is a claims endpoint which is called as part of the OAuth2 Technical Profile, the response is the source of the claims. In order for this call to be made two calls need to be made to the standard endpoints /authorize and /token (this is the OAuth2 authorization code flow)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 36%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
I'm using Key cloak as third party IDP and azure b2c as federated server, I tried same as described above, but getting error.
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Below is technical profile for key cloak.
<ClaimsProvider>
<DisplayName>Azureb2c Qa India</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="IDP">
<DisplayName>External IDP</DisplayName>
<Protocol Name="OAuth2"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="AccessTokenEndpoint">https://servername.com/auth/realms/realemName/protocol/openid-connect/token</Item>
<Item Key="authorization_endpoint">https://servername.com/auth/realms/realemName/protocol/openid-connect/auth</Item>
<Item Key="ClaimsEndpoint">https://servername.com/auth/realms/realemName/protocol/openid-connect/userinfo</Item>
<Item Key="ClaimsEndpointAccessTokenName">access_token</Item>
<Item Key="response_types">code</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="client_id">clientid</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="scope">openid offline_access</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_ClientSecret" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="userName" PartnerClaimType="preferred_username" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="userId" PartnerClaimType="userid" />
<OutputClaim ClaimTypeReferenceId="externalIdToken" PartnerClaimType="{oauth2:refresh_token}" />
<OutputClaim ClaimTypeReferenceId="accessToken" PartnerClaimType="{oauth2:access_token}" />
<OutputClaim ClaimTypeReferenceId="dealerCode" PartnerClaimType="dealercode" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
can you suggest how to make it work, for OAuth2 the urls should be same as OpenId protocol or different.