question

palayathar avatar image
0 Votes"
palayathar asked palayathar commented

B2C custom policy tfp in Issuer (iss) claim URL

Hello Team

I am using a B2C custom policy. However, it does not give tfp claims in the token. I tried following this article by @amanpreetsingh-msft by adding the following to TrustFrameworkBase.xml and uploaded it. It still didn't work. Could you help?


<Item Key="AuthenticationContextReferenceClaimPattern">None</Item> and then added

<ClaimType Id="trustFrameworkPolicy">
<DisplayName>Trust Framework Policy</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="tfp"/>
<Protocol Name="OpenIdConnect" PartnerClaimType="tfp"/>
</DefaultPartnerClaimTypes>


Finally, added the following to the replying party file

<OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />

I was expecting issuer URI to be of something like this [te below screenshot is from user flow builtin signin],

80721-shouldlooklike.png

However, issuer uri looks like this [the below screenshot is from custom policy]. Shouldn't it have /tfp in the Issuer (iss) claim URL?
80640-scerror.png

How to resolve this?

azure-ad-b2c
scerror.png (4.3 KiB)
shouldlooklike.png (6.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered palayathar commented

Hi @palayathar · Thank you for reaching out.

The "tfp" claim doesn't come as part of "issuer" claim as it is a separate claim. The issuer value you are getting is the expected value. If you access your policy metadata endpoint (mentioned below), it will display the same value as the issuer.

https://your_tenant.b2clogin.com/your_tenant.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=your_signup_signin_policy

Below is the sample token with "tfp" claim (highlighted in red) for your reference:

80791-image.png


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (30.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, guys who tried helping, especially to amanpreetsingh.

I understand that Issuer (iss) claim is a property that identifies the Azure AD B2C tenant that issued the token.

The default value is https://<domain>/{B2C tenant GUID}/v2.0/.

whereas, the value of https://<domain>/tfp/{B2C tenant GUID}/{Policy ID}/v2.0/ includes IDs for both the Azure AD B2C tenant and the user flow that was used in the token request.

I understand that "tfp"s property identifies the **claim type into which the policy nam**e used in the token request is populated.

0 Votes 0 ·