I'm working on a web app that uses AAD B2C for authentication, I have setup default inbuilt sign up/sign in flows for it, and its all working fine. However I have noticed that instead of returning a claim with a single primary email of the user, it instead returns a collection of emails, in my test case it is a collection which only contains my only email. I'm curious, is it possible to configure it in such a way that it would include a primary email address claim to JWT when I sign in? From what I have seen when configuring attributes to collect/return for my base user flows, it is possible to collect email when the user signs in, but only "EmailAddresses" collection can be marked to be returned with the token. Is there a way to change this behavior, or is it by design and I am missing a bigger picture?
Asked
Active
Viewed 1,864 times
1
-
Thanks @Danich. Any reason to use standard sign up policy? Could you please use recommended sign up policy and let us know if issue still persists. – Jit_MSFT Feb 12 '21 at 06:24
-
@Jit_MSFT Sorry, by "standard" I meant default. I do in fact use recommended sign up policy. – Danich Feb 12 '21 at 10:31
-
1Here is the by design claims defined in Azure B2C sign up policy. https://learn.microsoft.com/en-gb/azure/active-directory-b2c/add-sign-up-and-sign-in-policy?pivots=b2c-user-flow – Jit_MSFT Feb 12 '21 at 16:38
1 Answers
1
This is by design!
Take SignIn/SignUp Policy as an example, you can see that the user attribute displays the email address as a string.
But the application claims shows the email address as StringCollection.
The user attributes is the information which AAD B2C collects from user. So B2C collects only a single email, the email address is a string. But jwt claims is the information which B2C returns to the relying party app. since there can be more than one email here(coming from multiple resources, such as federated Idp), this is a collection. Therefore, it is normal for you to return a collection of email address. This is by design, and there is currently no way to change this behavior.
Carl Zhao
- 8,543
- 2
- 11
- 19
-
Why is breaking the OpenID Connect standard "by design"? This is extremely frustrating and it means you can't use Azure AD B2C with an OpenID Connect product due to it. For anyone landing here, here is the bug report: https://github.com/MicrosoftDocs/azure-docs/issues/16566#issuecomment-647038528, and the helpful instructions from Gitlab to configure this properly: https://docs.gitlab.com/ee/administration/auth/oidc.html#microsoft-azure-active-directory-b2c – mpontes Aug 03 '22 at 14:51