Missing new user flag in token claim: Azure B2C

Question

We created Sign Up and Sign In userflow for our B2C application to authenticate users.

To identify the user selected option i.e, sign up or sign in, we added "User is new" application claim to our user flow:

But when we generate the token, we cannot see "newUser" flag in it's claims.

"iss": "https://ourb2ctenant.b2clogin.com/0006565e-bfe8-45ee-a405-cede36487a6d/v2.0/",
"exp": 1666757889,
"nbf": 1666754289,
"aud": "3df6735e-2c7c-436d-a9f2-058d213d125a",
"tfp": "B2C_1_SUSI",
"azpacr": "1",
"sub": "92769eb0-14f3-40f8-bef8-75fef429214c".
"oid": "92769eb0-14f3-40f8-bef8-75fef429214c",
"tid": "0006565e-bfe8-45ee-a405-cede36487a6d",
"ver": "2.0",
"azp": "3df6735e-2c7c-436d-a9f2-058d213d125a".
"iat": 1666754289

Are we missing something?

Answer 1

You need to use interactive method like authorization code flow and include openid scope to get new user token claim.

I tried to reproduce the same in my environment and got the below results:

I have one Azure AD B2C application that has supported account type as below:

Now I created one Sign up and sign in user flow with same parameters as you and ran the user flow like below:

When I ran the user flow, I got the login screen like below:

Now I selected Sign up now to sign in as a new user and got below screen where I filled details like this:

When I selected Create, it took me to the redirect URI with code in address bar like below:

To generate access token, I used authorization code flow with parameters like below:

POST https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1_SUSI/oauth2/v2.0/token

grant_type:authorization_code
client_id:appid
client_secret:secret
scope:openid 
code: use the code that you got in above step
redirect_uri:https://jwt.ms

Response:

When I decoded the above token, I got newUser claim as true as below:

Answer 2

It only sends the newUser claim when the value is true (after initial user sign up). Notice the Description column of the "User is new" row on the Application claims screen - True, if the user has just signed-up for your application.

Here are token claims after initial sign up:

  "exp": 1666934066,
  "nbf": 1666930466,
  "ver": "1.0",
  "iss": "https://circleboxb2c.b2clogin.com/6e16d329-4657-4f68-bbbe-e47f06bb97c3/v2.0/",
  "sub": "c22da3c0-df8c-4d4e-9ca2-0f9004994b13",
  "aud": "61d2758f-7210-4e72-a669-915583ace4f9",
  "nonce": "638025272161383928.NTVhOWZjOTAtMGI5Yy00NGEyLTg3MzUtNjI2YzQxNjk4ZDdmMzMzNjZhOTItYmM3OC00NDFlLWEzMzItODVjNDVhZjk0Zjc4",
  "iat": 1666930466,
  "auth_time": 1666930466,
  "newUser": true,
  "tfp": "B2C_1_susi-so"

When I logout and sign in with that user, I get these claims (no newUser claim this time):

  "exp": 1666933847,
  "nbf": 1666930247,
  "ver": "1.0",
  "iss": "https://circleboxb2c.b2clogin.com/6e16d329-4657-4f68-bbbe-e47f06bb97c3/v2.0/",
  "sub": "bd9abfd8-5d79-4231-ad48-5a7b8c700e0f",
  "aud": "61d2758f-7210-4e72-a669-915583ace4f9",
  "nonce": "638025270465287700.Y2FjZjZkMzgtMjBhMC00OWE2LWFjNzQtOGUzMzZkNmQ2NjZjNWFhM2NjMDMtZTNhYi00MWU4LThjYjItZWVjNmVmNmU4MDM2",
  "iat": 1666930247,
  "auth_time": 1666930247,
  "tfp": "B2C_1_susi-so"