0

I have an ASP.NET Core 3.1 project using Azure AD B2C to manage authentication. I added a custom claim (i.e. extension property) named extension_userType.

To do so, I added it to my B2C_1A_signup_signin custom policy as an output claim:

 <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
<TechnicalProfile Id="PolicyProfile">
  <DisplayName>PolicyProfile</DisplayName>
  <Protocol Name="OpenIdConnect" />
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="passwordPolicies" DefaultValue="DisablePasswordExpiration, DisableStrongPassword" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="displayName" />
    <OutputClaim ClaimTypeReferenceId="givenName" />
    <OutputClaim ClaimTypeReferenceId="surname" />
    <OutputClaim ClaimTypeReferenceId="email" />
    <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" />
    <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
    <OutputClaim ClaimTypeReferenceId="extension_userType" />
  </OutputClaims>
  <SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>

Additionally, I also added it to the B2C_1A_TrustFrameworkExtensions policy under the "Local Account Sign In" ClaimsProvider:

 <DisplayName>Local Account Sign In</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="login-NonInteractive">
      <Metadata>
        <Item Key="client_id">OMISSIS</Item>
        <Item Key="IdTokenAudience">OMISSIS</Item>
      </Metadata>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="OMISSIS" />
        <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="OMISSIS" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="extension_userType" />
      </OutputClaims>
    </TechnicalProfile>
    <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="extension_userType" />
      </OutputClaims>

After the user login, the extension_userType claim is available:

enter image description here

But if I restart the web-app, and the signed user has to re-acquire the token (e.g. when calling a method with AuthorizeForScopesAttribute), the new token will not contain the extension_userType claim.

Instead, if the user performs a logout>login, the claim will re-appear.

I analyzed the quick redirect to AD B2C performed when re-acquiring the token: it correctly points to B2C_1A_signup_signin, so I don't understand why the token is incomplete.

Let me know if I can provide you further information to help understand the issue. Thanks in advance :)

McBodge
  • 81
  • 8

1 Answers1

0

Ok I found out why: I forgot to put the related output claim to the AAD-UserReadUsingEmailAddress and AAD-UserReadUsingObjectId technical profiles:

        <TechnicalProfile Id="AAD-UserReadUsingEmailAddress">
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="extension_userType" />
          </OutputClaims>
        </TechnicalProfile>
        <TechnicalProfile Id="AAD-UserReadUsingObjectId">
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="extension_userType" />
          </OutputClaims>
        </TechnicalProfile>
McBodge
  • 81
  • 8