How to extract multiple values from id_token_hint into specific claims?

Question

I have an id_token_hint with a token from an https://sts.windows.net/. I'm willing to use it as a trusted party based on the role present in the token. Here's a JWT token example:

{
  "iss": "https://sts.windows.net/00000000-0000-0000-0000-000000000000/",
  "iat": 1610050840,
  "nbf": 1610050840,
  "exp": 1610054740,
  "aio": "E2JgYPi646//0000000000000000000=",
  "app_displayname": "my_app_displayname",
  "appid": "00000000-0000-0000-0000-000000000000",
  "appidacr": "1",
  "idp": "https://sts.windows.net/00000000-0000-0000-0000-000000000000/",
  "idtyp": "app",
  "oid": "00000000-73e4-46ae-b464-000000000000",
  "rh": "0.AAAAiKphxJIQoUmmKLTdWWDB80kfo3ST3nNJgG0000000000000.",
  "roles": [
    "Mail.Send",
    "Policy.ReadWrite.TrustFramework"
  ],
  "sub": "00000000-73e4-46ae-b464-000000000000",
  "tenant_region_scope": "EU",
  "tid": "00000000-0000-0000-0000-000000000000",
  "uti": "jDVAsZtcd0ezvvkFN00000",
  "ver": "1.0",
  "xms_tcdt": 1599800000
}

As you can see here I have a field roles, which contains an array of roles. I'm trying to parse this array into specific claims like IsPolicyReadWriteRole and IsMailSendRole. However, I cannot find any examples over the starter pack or examples how to do that. I don't need these claims to be themself, I just plan to use them as a precondition in the orchestration step.

Abhishek Agrawal · Accepted Answer · 2021-01-10T23:35:35.510

You can extract claims from id_token_hint using the instructions and sample mentioned here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/id-token-hint

Then you can use the getsingleitemfromstringcollection claim transformation to get the claim value. https://learn.microsoft.com/en-us/azure/active-directory-b2c/stringcollection-transformations#getsingleitemfromstringcollection

And then you can use claimExist or claimEquals predicate to test for the value.

The id_token_hint validation technical profile will look like below

<ClaimsProvider>
      <DisplayName>Trustframework Policy Engine TechnicalProfiles</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="TpEngine_IdTokenHint_ExtractClaims">
          <DisplayName>Trustframework Policy Engine ID Token Hint Setup Technical Profile</DisplayName>
          <Protocol Name="None" />
          <Metadata>
            <Item Key="METADATA">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>
          </Metadata>
        </TechnicalProfile>        
      </TechnicalProfiles>
    </ClaimsProvider>

Thanks! that's definitely what I was looking for. However, graph tokens doesn't pass validation on the b2c side so I can't really use them =( — Georgy Grigoryev, Jan 10 '21 at 19:36
I have added a sample id_token_hint extraction profile for you, this technical profile will validate the graph/AAD tokens — Abhishek Agrawal, Jan 10 '21 at 23:36

How to extract multiple values from id_token_hint into specific claims?

1 Answers1

Linked