How to extract info from nested external idp access token in a custom policy?

Question

I have a custom policy which produce b2c token with nested idp_access_token. I want my b2c token to include email claim. I have email (unique_name/sub claims) in nested idp_access_token. So, is it possible to have some kind of ClaimTransformation, to extract necessary data from claim idp_access_token?

Update: Inside external token I have claim "unique_name". I have next claims configuration:

For Technical Profile which describes oauth interraction

 <Protocol Name="OAuth2"/>
 <OutputTokenFormat>JWT</OutputTokenFormat>
 <Metadata> ..............</Metadata>
 <CryptographicKeys>...</CryptographicKeys>
 <InputClaims>...</InputClaims>
 <OutputClaims>    
     .........               
     <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name"/>                         
     <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}"/>
     </OutputClaims>

For RelyingParty:

 <RelyingParty>
        <DefaultUserJourney ReferenceId="SignIn" />
        <TechnicalProfile Id="PolicyProfile">
            <DisplayName>PolicyProfile</DisplayName>
            <Protocol Name="OpenIdConnect" />
            <OutputClaims>
             ....
                <OutputClaim ClaimTypeReferenceId="email" />
                <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="idp_access_token"/>
            </OutputClaims>
        </TechnicalProfile>
</RelyingParty>

I see that claims settings works for idp_access_token, but not for email.

External IDP token idp_access_token

Update

If I add default value, then in response I see it in b2c token

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" DefaultValue="test@email.com" />

Answer 1

I presume you are logging into an eternal IDP?

In which case, you could get the email attribute via the IDP mapping in the IDP ClaimsProviders element.