How can the Azure Active Directory Authentication Service be forced to reissue an id_token with updated claims?

Question

We are using Azure B2C to authenticate our users which is working fine. After signup we add some custom claims to our users which were defined in the B2C portal as "User attributes" using the graph api. When I log into the portal I can see these values have been set by our calls, as have some standard claims values(i.e. we also set Display Name by concatenating the givenName and lastName values).

The issue we are having is that after these values are set, they do not appear in the token retrieved by sending the access token to the authenticate endpoints until the user is logged out and back in again (which is obviously a pretty awful user experience after signup). It looks like the original id_token is cached when the user is created and that is what is being returned instead.

This doesnt make sense, as it seems perfectly sensible to let a user update their profile (claims values) while logged into an application and for those changes to take affect immediately without needing to re-authenticate?

Could someone explain how/if it is possible to force the cached id_token on the server to expire so that when we request a id_token using an access token, the id_token contains the most up-to-date claims values?

Answer 1

The issue we are having is that after these values are set, they do not appear in the token retrieved by sending the access token to the authenticate endpoints until the user is logged out and back in again (which is obviously a pretty awful user experience after signup).

Would you mind show the request detail about how you acquire the id_token?

Based on my test, I can acquire the id_token with updated claim successful like steps below:

1 . sign-in a web app

2 . update the DisplayName using Azure AD Graph like below:

POST: https://graph.windows.net/xxxx.onmicrosoft.com/users/{userId}?api-version=1.6
{
     "displayName":"newValue"
}

3. re-request the id_token from OAuth2.0 Authorization endpoint using HTTP request without sign-out/sign-in( You also can capture the exact request using Fiddler when you sign-in the app)

 GET:https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/authorize?client_id={clientId}&redirect_uri={redirectURL}&response_type=id_token&scope=email+openid&response_mode=query&nonce=HWUavSky1PksCJC5Q0xHsw%3d%3d&nux=1&nca=1&domain_hint={XXXX.onmicrosoft.com}

4 . the update claim value show in the new id_token as expected

To narrow down this issue, you may see whether there is cache for the id_token in your app.

Answer 2

OK so after nearly a month of waiting for a response, the official line is:

"Product Group identify that this is on the roadmap even that we still don't have a final date it should happen in a few months."

So basically they haven't acknowledged it's a bug and they can't tell when this scenario will be supported. Pretty poor level of support to be honest.