Pass an identity provider access token to your application in Azure Active Directory B2C

Before you begin, use the Choose a policy type selector to choose the type of policy you’re setting up. Azure Active Directory B2C offers two methods to define how users interact with your applications: through predefined user flows or through fully configurable custom policies. The steps required in this article are different for each method.

A user flow in Azure Active Directory B2C (Azure AD B2C) provides users of your application an opportunity to sign up or sign in with an identity provider. When the journey starts, Azure AD B2C receives an access token from the identity provider. Azure AD B2C uses that token to retrieve information about the user. You enable a claim in your user flow to pass the token through to the applications that you register in Azure AD B2C.

Azure AD B2C supports passing the access token of OAuth 2.0 identity providers, which include Facebook and Google. For all other identity providers, the claim is returned blank.

Azure AD B2C supports passing the access token of OAuth 2.0 and OpenID Connect identity providers. For all other identity providers, the claim is returned blank.

The following diagram shows how an identity provider token returns to your app:

Identity provider pass through flow

Prerequisites

Enable the claim

  1. Sign in to the Azure portal as the global administrator of your Azure AD B2C tenant.

  2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar.

  3. On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch.

  4. Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.

  5. Select User flows (policies), and then select your user flow. For example, B2C_1_signupsignin1.

  6. Select Application claims.

  7. Enable the Identity Provider Access Token claim.

    Enable the Identity Provider Access Token claim

  8. Click Save to save the user flow.

Test the user flow

When testing your applications in Azure AD B2C, it can be useful to have the Azure AD B2C token returned to https://jwt.ms to review the claims in it.

  1. On the Overview page of the user flow, select Run user flow.

  2. For Application, select your application that you previously registered. To see the token in the example below, the Reply URL should show https://jwt.ms.

  3. Click Run user flow, and then sign in with your account credentials. You should see the access token of the identity provider in the idp_access_token claim.

    You should see something similar to the following example:

    Decoded token in jwt.ms with idp_access_token block highlighted

Add the claim elements

  1. Open your TrustframeworkExtensions.xml file and add the following ClaimType element with an identifier of identityProviderAccessToken to the ClaimsSchema element:

    <BuildingBlocks>
      <ClaimsSchema>
        <ClaimType Id="identityProviderAccessToken">
          <DisplayName>Identity Provider Access Token</DisplayName>
          <DataType>string</DataType>
          <AdminHelpText>Stores the access token of the identity provider.</AdminHelpText>
        </ClaimType>
        ...
      </ClaimsSchema>
    </BuildingBlocks>
    
  2. Add the OutputClaim element to the TechnicalProfile element for each OAuth 2.0 identity provider that you would like the access token for. The following example shows the element added to the Facebook technical profile:

    <ClaimsProvider>
      <DisplayName>Facebook</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="Facebook-OAUTH">
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
          </OutputClaims>
          ...
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
    
  3. Save the TrustframeworkExtensions.xml file.

  4. Open your relying party policy file, such as SignUpOrSignIn.xml, and add the OutputClaim element to the TechnicalProfile:

    <RelyingParty>
      <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
      <TechnicalProfile Id="PolicyProfile">
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="idp_access_token"/>
        </OutputClaims>
        ...
      </TechnicalProfile>
    </RelyingParty>
    
  5. Save the policy file.

Test your policy

When testing your applications in Azure AD B2C, it can be useful to have the Azure AD B2C token returned to https://jwt.ms to be able to review the claims in it.

Upload the files

  1. Sign in to the Azure portal.
  2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar.
  3. On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch.
  4. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  5. Select Identity Experience Framework.
  6. On the Custom Policies page, click Upload Policy.
  7. Select Overwrite the policy if it exists, and then search for and select the TrustframeworkExtensions.xml file.
  8. Select Upload.
  9. Repeat steps 5 through 7 for the relying party file, such as SignUpOrSignIn.xml.

Run the policy

  1. Open the policy that you changed. For example, B2C_1A_signup_signin.

  2. For Application, select your application that you previously registered. To see the token in the example below, the Reply URL should show https://jwt.ms.

  3. Select Run now.

    You should see something similar to the following example:

    Decoded token in jwt.ms with idp_access_token block highlighted

Next steps

Learn more in the overview of Azure AD B2C tokens.