Using an external IDP in azure B2C. Is it possible to add a custom claim to the JWT without using custom policies?
In my IDP I have this code in the /connect/token endpoint:
This works as expected and the "given name" is set to the SSN.
identity.RemoveClaims(Claims.GivenName);
identity.AddClaim(Claims.GivenName, identity.Claims.First(x => x.Type == "SSN").Value);
This however does not work:
identity.AddClaim("extension_9322349238409238_SSN", identity.Claims.First(x => x.Type == "SSN").Value);
If I use an API-connector I can indeed enrich the token with the claim but I need to do it before that when I actually got access to the SSN.
Is this possible without a custom policy? The documentation is not 100% clear about this.
Note: I do not want to collect the claim using user input which could be achieved using user attributes.
2
Answers
I created a custom attribute "SSN" in Azure AD B2C:
Created an Azure AD B2C user flow and selected SSN as application claim:
For sample, configured Google as Identity provider:
When I run the user flow, I selected sign in with Google:
Once the user signs in the user will be created in Azure AD B2C tenant:
Copy the Object ID of the user and assign the custom attribute value to the user:
Run the user flow, ID token and access token will be generated.
When I decoded the access token, the custom claim SSN is displayed successfully:
Otherwise, you can directly select the given name as application claim and when you decode the token it will be displayed as
"given_name": "ruk"If you need it added automatically you can leverage API Connectors.
‘After federating with an identity provider during sign-up’ or ‘Before creating the user’ should fulfil your needs.
There is a third option, ‘Before sending the token’ but it is still in preview. It may be suitable if you don’t want to persist the SSN against the user object.
Note, you will have to have your own API to return the value you want populated.