Azure B2C `id_token_hint` and custom policies

Question

In Azure B2C, after programatically creating a user, I'd like to email the user a link so they can set their password. I'm using my own email provider for this, not B2C - so I just need a URI that I can include in my 'welcome' email.

The link needs to be specifically for them, so that when they click on it, they don't have to re-enter their email address and do the whole email-verification process.

I'm using B2C Custom Policies, which according to documentation should allow me to add a query string to this URL called id_token_hint. This is a self-signed JWT token which contains the claims I want to pass to my policy (in my case, email).

I'm following guidance/instructions from these two links:

• https://learn.microsoft.com/en-us/azure/active-directory-b2c/id-token-hint
• https://github.com/azure-ad-b2c/samples/tree/master/policies/invite

I'm hosting the .well-known endpoints for my self-signed certificate - and can see when I'm testing, that B2C is calling both of the endpoints.

My problem is that I just can't get the policy to use the email I embedded in that id_token_hint JWT token.

I've got a technical profile to consume it...

<TechnicalProfile Id="IdTokenHint_ExtractClaims">
    <DisplayName>My ID Token Hint TechnicalProfile</DisplayName>
    <Protocol Name="None" />
    <Metadata>
        <Item Key="METADATA">https://<my-domain>/.well-known/openid-configuration</Item>
        <Item Key="issuer">https://localhost/</Item>
    </Metadata>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="email" />
    </OutputClaims>
</TechnicalProfile>

and I'm referencing it from my user journey...

<OrchestrationStep Order="1" Type="GetClaims" CpimIssuerTechnicalProfileReferenceId="IdTokenHint_ExtractClaims" />

Referencing from the user-journey like this (ie. with CpimIssuerTechnicalProfileReferenceId), which is what the above documentation says to do, doesn't let me then add that email as an <InputClaim> in the next technical profile. It then gives this validation error when trying to upload...

"Claim type "email" is the output claim of the relying party"s technical profile, but it is not an output claim in any of the steps of user journey "DanTest"."

Even though, it is an output claim of the IdTokenHint_ExtractClaims!

If I change the orchestration step to look like this instead...

<OrchestrationStep Order="1" Type="ClaimsExchange">
    <ClaimsExchanges>
        <ClaimsExchange Id="IdTokenHint_ExtractClaims" TechnicalProfileReferenceId="IdTokenHint_ExtractClaims" />
    </ClaimsExchanges>
</OrchestrationStep>

That then successfully uploads. However, I then get a runtime error saying this...

"An attempt was made to resolve a protocol handler for unsupported protocol "None" in technical profile with id "IdTokenHint_ExtractClaims" in policy with id "B2C_1A_dantest" for tenant with id "mytenant.onmicrosoft.com"."

I'm struggling to find out what to try next. Any ideas what I'm doing wrong?

Answer 1

In addition to specifying the ID token hint technical profile, you also need to add the claim as an input claim to the relying party technical profile:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUp" />
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="userId" />
    </InputClaims>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="givenName" />
      <OutputClaim ClaimTypeReferenceId="surname" />
      <OutputClaim ClaimTypeReferenceId="email" />
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
      <OutputClaim ClaimTypeReferenceId="identityProvider" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
  </TechnicalProfile>
</RelyingParty>

Docs: https://learn.microsoft.com/en-us/azure/active-directory-b2c/id-token-hint#configure-your-policy