Post

Pass Inputs to B2C Custom Policy

Posted Updated
By Udit Bhatnagar 3 min read

Unleash 🚀 the full potential of Azure B2C custom policies by mastering the art of passing inputs! This guide unveils the secrets 📜 of using JWT tokens to send custom data to your policies, empowering you to create more adaptable and user-centric experiences. Dive into the essential steps, from crafting secure JWTs to configuring claims providers and orchestration steps. Break free from conventional constraints and unlock a world of customization possibilities with this 💪 powerful technique.

Azure B2C allows passing inputs to any custom policy via query params.

BUT! Passing normal query params does not work here…

We need to pass a JWT token as a query param in a specific format.

Also, we need to add some elements to the custom policy to be able to read and use these inputs.

1. Inputs are passed as JWT

All inputs of a custom policy can be passed as a JWT token.

In Azure lingo this JWT Token is called id_token_hint.

This token looks like below:-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

{
  "alg": "HS256",
  "typ": "JWT"
}.{

  // these are mandatory inputs
  "nbf": 1599482515,
  "exp": 1600087315,
  "iss": "https://localhost",
  "aud": "a489fc44-3cc0-4a78-92f6-e413cd853eae" // this is the id of client app
  
  // include any other inputs you want to pass
  "displayName": " John Smith",
  "userId": "john.s@contoso.com",
  "fruit": "apple"

}.{
  Signature goes here...
}

You can easily generate this JWT using tools like jwt.io with your custom inputs.

2. Secure your JWT

Follow these simple steps to setup your B2C_1A_IdTokenHintKey

This key is used to sign the JWT while sending and your policy will verify this signature after receiving

3. Add a variable to receive input

1
2
3
4

<ClaimType Id="fruit_input">
  <DisplayName>Your fruit name will be received in this variable</DisplayName>
  <DataType>string</DataType>
</ClaimType>

4. Add a Claims Provider

Add the following xml element to your custom policy:-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

<ClaimsProvider>
  <DisplayName>My ClaimsProvider</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="IdTokenHint_ExtractClaims">
      <DisplayName>My TechnicalProfile</DisplayName>
      <Protocol Name="None" />
      <Metadata>
        <Item Key="IdTokenAudience">a489fc44-3cc0-4a78-92f6-e413cd853eae</Item>
        <Item Key="issuer">https://localhost</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_IdTokenHintKey" />
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="fruit_input" PartnerClaimType="fruit"/>
      </OutputClaims>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

Replace some values in the technical profile

  1. IdTokenAudience will be the clientId of any webapp you have registered in your tenant
  2. You can set any value in the issuer element for example https://localhost but make sure you are passing the same value in your id_token_hint as iss property as shown below:-
1
2
3
4
5

{
  ...
  ...
  "iss": "http://localhost"
}

5. Add input and output to Relying Party

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

<RelyingParty>
    ...
    <TechnicalProfile Id="PolicyProfile">
      ...
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="fruit_input" PartnerClaimType="fruit"/>
      </InputClaims>

      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="fruit_input"/>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
      </OutputClaims>
      ...
    </TechnicalProfile>
</RelyingParty>

6. Add an orchestration step

Find the <UserJourney> ... </UserJourney> element in your custom policy and add the following step as the 1st step.

1

<OrchestrationStep Order="1" Type="GetClaims" CpimIssuerTechnicalProfileReferenceId="IdTokenHint_ExtractClaims" />

Update the order number of steps after that like 1, 2, 3… and so on

7. How to send the JWT as query param

https://YOUR_TENANT.b2clogin.com/YOUR_TENANT.onmicrosoft.com/B2C_1A_YOUR_POLICY/oauth2/v2.0/authorize

Query Param Note / Example
?client_id = YOUR_CLIENT_ID cfaf887b-a9db-4b44-ac47-5efff4e2902c
&nonce = defaultNonce  
&redirect_uri = https%3A%2F%2Fjwt.ms ensure this is url-encoded
&scope = openid  
&response_type = id_token  
&prompt = login  
&id_token_hint = YOUR_JWT_TOKEN eyJhbGc.eyJzdW.SflKxwRJS

7. Done!

Now you can call that URL and use your fruit_input value!

To add more inputs just add them to the JWT and update them in the <OutputClaims> section of IdTokenHint_ExtractClaims technical profile.

Azure, B2C
azure custom-policy
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.