Modify the JwtIssuer ClaimsProvider in the custom policy to achieve the JWE in AD B2C

Question

I am using the AD B2C service for the authentication.

AD B2C is generating the signed JWT tokens, but the claims information in the JWT token is exposed to the public. If anyone gets the token they can able to see the claims information.

In my case I need to store some sensitive information in the JWT token. So is there any way to generate JWE token (encrypted token) in AD B2C, so that only the intended recipient can read it.

Is thre any possible solution to modify the JwtIssuer ClaimsProvider in the custom policy to achieve the JWE. Please suggest

<ClaimsProvider>
      <DisplayName>Token Issuer</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="JwtIssuer">
          <DisplayName>JWT Issuer</DisplayName>
          <Protocol Name="None" />
          <OutputTokenFormat>JWT</OutputTokenFormat>
          <Metadata>
            <Item Key="client_id">{service:te}</Item>
            <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
            <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
            <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
          </CryptographicKeys>
          <InputClaims />
          <OutputClaims />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

Answer 1

True JWE with B2C isn’t possible yet. You can send claims to a REST API and send them back to B2C to encrypt them as a stop gap for now.

JWT Token issuer reference https://learn.microsoft.com/en-us/azure/active-directory-b2c/jwt-issuer-technical-profile

REST API usage https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange