1

We set custom claims in our custom B2C policies.

<OutputClaims>
    <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
    <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
    <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
    <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
</OutputClaims>

Theses claims get automatically added to both the ID and Access Token. However, we do not want these claims to be automatically added on the access token as they have no purpose here and will be flagged as a Security concern by our policies as they contain personal information and not required for use when we request and pass access token.

I cannot find any information in the MS docs on how to remove or hide these claims. The claims in question below are name, given_name, family_name.

{
"iss": "xxx",
"exp": xxx,
"nbf": xxx,
"aud": "xxx",
"tid": "xxx",
"name": "Overflow, Stack",
"idp": "xxx",
"sub": "xxx",
"given_name": "Stack",
"family_name": "Overflow",
"nonce": "xxx",
"scp": "xxx",
"azp": "xxxx",
"ver": "1.0",
"iat": xxx,
}
Mr.GT
  • 310
  • 4
  • 12
  • Are you using implicit flow or auth code flow? – Jas Suri - MSFT Oct 05 '20 at 21:30
  • @JasSuri We are using Auth Code flow. – Mr.GT Oct 06 '20 at 10:02
  • 1
    Remove the output claim which are not required from the `SignUpOrSignIn.xml` file `RelyingParty` section. Theoutput claims which are mentioned in the `RelyingParty` are added into the token. Please refer the [document](https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-configure-user-input#include-a-claim-in-the-token) for more information – Raghavendra beldona Oct 08 '20 at 17:59
  • 1
    @Raghavendra-MSFTIdentity Unfortunately doing this removes the claims from both the ID and the access token. We need to only remove these claims from the access token. – Mr.GT Nov 16 '20 at 15:32

0 Answers0