OAUTH-KV Claims Resolver in AAD B2C does not work

Question

I am trying to use the OAUTH-KV Claims Resolver to extract the value of a parameter named foo passed to an AAD B2C custom policy authorize endpoint as a claim, also named foo.

The foo ClaimType is defined as

<ClaimType Id="foo">
  <DisplayName>Foo debug claim</DisplayName>
  <DataType>string</DataType>
  <UserInputType>TextBox</UserInputType>
</ClaimType>

and the TechnicalProfile as

<TechnicalProfile Id="LocalAccount-Register">
  <DisplayName>Register</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ContentDefinitionReferenceId">api.localaccount.registration.prescribedfirm</Item>
    <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
    <Item Key="language.button_continue">Create</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="foo" DefaultValue="{OAUTH-KV:foo}" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="foo" Required="true" />
  </OutputClaims>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>

However the value for foo is displayed as {OAUTH-KV:foo} rather than the actual value passed.

I believe I have followed the instructions from the documentation.

Is there something else I need to do to make this work?

---

EDIT

The documentation relating to claim resolvers was updated 25-01-2019 here https://docs.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview, according to which this should work.

I am unable to get any claim resolver to show anything except the markup, i.e. {Context:CorrelationId}, {OIDC:LoginHint}, etc.

Does anyone know if there are any magic Metadata values required to make this work?

I am sure I am doing something wrong, leaving something out, but am unable to figure out what.

Any helpful pointers would be most welcome.

Answer 1

Claims resolvers only work in specific Technical Profiles, those being REST API and SelfAsserted (combined sign up and sign in content definition at the orchestrations step). It explicitly only works in the examples provided in the document.

Answer 2

I know it is late. See my answer here

You have to configure the metadata of the technical profile and set the AlwaysUseDefaultValue property of the input claim.