0

I'm trying to add a custom policy without refresh token I've modifiy the ClaimsProviders this way :

 <ClaimsProvider>
  <DisplayName>Token Issuer</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="JwtIssuer">
      <DisplayName>JWT Issuer</DisplayName>
      <Protocol Name="None" />
      <OutputTokenFormat>JWT</OutputTokenFormat>
      <Metadata>
        <Item Key="client_id">{service:te}</Item>
     
        <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
        <Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
        
        <Item Key="token_lifetime_secs">3600</Item>
        <!-- 1 H -->
        <Item Key="id_token_lifetime_secs">3600</Item>
    
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      
      </CryptographicKeys>
      <InputClaims />
      <OutputClaims />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

But it's not working. I'm facing this js error when I try to sign in :

main.js:1 ERROR ServerError: server_error: AADB2C: Issuer technical profile 'JwtIssuer' must specify a 'issuer_refresh_token_user_identity_claim_type' to use this OAuth flow

Correlation ID: bab26044-1e53-4b4a-b5c9-d2f35030a9d7

Any ideas ?

Thanks :)

magnetictank
  • 95
  • 2
  • 9

1 Answers1

0

Thanks for the comment @paralight. We need to apply some workaround to achieve the same as there is no way to remove the refresh token and no direct modifications to the JWTIssuer technical profile.

Workaround:

Force a session time out by adding a tag UserJourneyBehaviors in custom policy. ex :

<UserJourneyBehaviors> <SingleSignOn Scope="Application" /> <SessionExpiryType>Absolute</SessionExpiryType> <SessionExpiryInSeconds>900</SessionExpiryInSeconds> </UserJourneyBehaviors>

Other scenario :

Claims information in the JWT token is exposed to the public. To store some sensitive information in the JWT token

Workaround: You can send claims to a REST API and send them back to B2C to encrypt. You would create an orchestration step before the SendClaims step to send all claims to a REST API, and have the REST API respond with encrypted versions of those claims

JWT Token issuer reference https://learn.microsoft.com/en-us/azure/active-directory-b2c/jwt-issuer-technical-profile

REST API usage https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange

Reference : All Technical Profiles : https://learn.microsoft.com/en-us/azure/active-directory-b2c/technicalprofiles

Reference SO Thread: Modify the JwtIssuer ClaimsProvider in the custom policy to achieve the JWE in AD B2C

Adding your comment as answer and glad to know your queries are addressed. You can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in). This can be beneficial to other community members.

SureshBabu
  • 418
  • 2
  • 9
  • Thanks for answer. Actually, Azure support help me, saying there were no way to remove a refresh token. And so they advise me to force a session time out by adding a tag UserJourneyBehaviors in my custom policy. ex : Absolute 900 – magnetictank Sep 24 '21 at 13:06