question

ShubhamSingh-9432 avatar image
0 Votes"
ShubhamSingh-9432 asked KarinaBorlaug-7513 commented

How to get group/role claim in ID token from Azure B2C?

I followed these steps to get a custom claim in ID token with name 'extension_6de6a54XXXXX4560b9d65731ce869be4_Role'. But, my expected output is 'groups' claim or 'role' claim information.

I tried customMappingPolicies to map this ID token claim 'extension_6de6a54XXXXX4560b9d65731ce869be4_Role' with the 'groups' claim. But, following this documentation steps does not seem to affect the issued ID token from B2C.

When I found this answer that explains getting group membership using custom policies. I got stuck on the step where entering below details for microsoft graph in file TrustFrameworkExtensions.xml. I don't have answer to question like
1. Should I enter a microsoft graph endpoint in ServiceUrl?
2. How will AccessToken be supplied?
3. How will JSON response be fetched and output be passed in token?

<TechnicalProfile Id="REST-RBAC">
<DisplayName>Read and validate user's groups</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<!-- Demo: Change the service URL with your REST API location -->
<Item Key="ServiceUrl">https://graph.microsoft.com/v1.0/users/{objectId}/getMemberGroups</Item>;
Demo: Change the AuthenticationType to basic or ClientCertificate.
For more information, see: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw-secure-cert
<Item Key="AuthenticationType">Bearer</Item>
<Item Key="SendClaimsIn">Url</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" />
<!--Demo: set the DefaultValue to empty string or comma delimiter list
of security groups to validate-->
<!-- <InputClaim ClaimTypeReferenceId="onlyMembersOf" DefaultValue="admins" /> -->
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="groups" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>




NOTE: I don't want my application to handle https request just for one piece of information that I can get in token.

Thanks In Advance.




azure-ad-b2cazure-rbacazure-ad-openid-connect
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you still having this issue? Please let us know and we will try to help on the same.

0 Votes 0 ·

I am stuck on this same issue. Would love info on how to query the Microsoft graph in custom policies to get app roles in output claims

0 Votes 0 ·

0 Answers