0

Our company is setting up Azure B2C as our IDP. If we have 2 different applications that will authorise through B2C, can you send different claim data with the token depending on which application the user is signing in to?

From some research it looks like this could be possible through different custom policies per application, is this also true?

The main reason is that we want to send sensitive user data to one application that GDPR (data protection) states it can use, whereas the other application will neither have any use for this user data nor would it be approved under GDPR rules.

drcoding
  • 153
  • 1
  • 3
  • 15

1 Answers1

0

You are correct. You can achieve this with a different Custom Policy or User Flow for each application, since this is where you specify the claims that are returned to the relying party.

Brad C.
  • 564
  • 3
  • 5
  • 2
    I would add to that - since by default nothing stops an app from using any available user flow or custom policy then you probably want to go with custom where you can build restrictions based on client_id value. This way even if someone manipulates the URL the policy will either not work or not expose sensitive data for a client_id different than you specify in its code and you won't have the risk of exposing a token with sensitive data to the wrong application. – wojtekdo May 12 '21 at 14:59
  • @wojtekdo, good point. you could have a small azure storage table with some config elements per app. Or just append additional query string parameters: If you're using the authorization code flow, the token won't be sent through the browser so it shouldnt be a security issue – Thomas May 12 '21 at 23:59
  • 1
    You don’t need to really add this protection as the application will reject the token if somebody tried manipulating the policy id in the auth url. – Jas Suri - MSFT May 13 '21 at 22:00
  • Good point, you can also have a strict validation of allowed policies in the app. – wojtekdo May 17 '21 at 13:29
  • Giving it a second thought though, if you want to protect that data and not allow to send it to the app then the centralized way of having client_id restriction in the policy will be the way to go. – wojtekdo May 17 '21 at 17:00