This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Hi there, i have been trying to retrieve the jti claim returned to us by an external provider (NHS Login) within the custom policy. This jti token is required for SSO on the external identity provider site. The plan is to capture the jti pass is to the calling application and for subsequent SSO we will pass this jti to the b2c policy which will then create a singed JWT and pass it on to the external identity provider.
Hello @Amrit Gurung and thanks for reaching out. For Azure AD B2C to capture and issue the jti claim from the token issued by the NHS Login provider you need to:
<ClaimType Id="jti">
<DisplayName>jti claim</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="jti" />
</DefaultPartnerClaimTypes>
</ClaimType>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="jti" />
</OutputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="jti" />
</OutputClaims>
To pass the jti claim to a new user flow/custom policy you can post it as a query param (E.g. ?jti=token), and send it to your NHS Login Provider authorization endpoint using the former InputClaims and OAuth2 key-value parameters claim resolver (Eg. {OAUTH-KV:jti}).
<InputClaims>
<InputClaim ClaimTypeReferenceId="jti" DefaultValue=" {OAUTH-KV:jti}" />
</InputClaims>
Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.
Thanks for the reply, i have tried this before but for some reason im unable to extract the jti.
Here's my settings and im still getting an empty value for jti. Manually decoded the incoming id token jwt (returned by NHS Login) and it does contain the jit claim.
Here's my settings:
JTI Claim Type
<!--Required to create asserted_login_identity for NHS Login SSO-->
<ClaimType Id="jti">
<DisplayName>The "jti" (JWT ID) claim provides a unique identifier for the JWT </DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="jti" />
</DefaultPartnerClaimTypes>
<AdminHelpText>jti</AdminHelpText>
</ClaimType>
NHS Login Technical Profile output params
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="jti"/>
</OutputClaims>
In Relying Party Policy files:
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="jti" />
</OutputClaims>
Note: I have noticed that in you suggestion you are referencing the JTI claim as jit claim instead of JTI.
Hello, this may be due some restriction in the claim output. Try with a new id in the claim type def. Eg. nhs_:jti and updating the references or setting an alias it in the RP outputclaims: <OutputClaim ClaimTypeReferenceId="jti" PartnerClaimType="nhs_jti" />
thanks for the reply but the setting PartnerClaimType="nhs_jti" didn't work.
We have implemented some workaround but it would be nice to know if this is possible or if there's some sort of limitations on what can be extracted from the incoming claims provided by an external identity provider.
If it is possible then it would definitely make our solution much better.
Thanks for your help
Hello @Amrit Gurung , jti claim can be declared and output. Collect Azure Active Directory B2C logs with Application Insights, See them in VS Code extension and find your NHS Technical Profile in the Tokens section of the report to see if the jti is received from the IDP. The following sample is for the local IDP TP. Also, you may need to open a custom policy to display the app insights vscode window.
Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA , We do have appinsight logging setup. Jit don't appear in the report. However if i decode the value of {token_exchange:id_token} token it consists the jit claim which we need.
So is it the case that decoding that jwt id_token and extracting the claims is our responsibility and not something that b2c custom policy support out of the box?
Hello. Looks fine. Please try removing the following from your schema:
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="jti" />
</DefaultPartnerClaimTypes>
Hi there,
Removing the default partner claim type didn't work.
I don't want to waste much of your time but it would be nice to know if this is possibly and if it is then a working example would be great.
Thanks for all the help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 81%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Is it possible to read values from {token_exchange:id_token}? Any update