AD B2C in .net core 6 api - How to save custom user attributes and return as claims in token?

Question

AD B2C in .net core 6 api - How to save custom user attributes and return as claims in token?

Matthew Cheah 46

Hi All, I'm kind of new to this ecosystem so I'm not sure if I'm asking the right questions or going about things the correct way, but I'm trying to find some documentation on how to set custom user attributes for a user, and then return that information as claims within a token to a front-end when logging in. My flow looks like this:

Front-End (Angular with MSAL.js) creates account
Azure calls API Connector on my API before user is created.
API Connector method creates a new user on MY database and returns the id like so: return (ActionResult)new OkObjectResult(new ResponseContent()
{
extension_AppUserId = newUserId.ToString(),
});
When the call is completed, the token passed back to the front-end includes extension_AppUserId, but when logging in in the future it does not, and when I try to use GraphAPI to query that user, (Using Microsoft.Graph.GraphServicesClient), that value does not appear. var results = await graphClient
.Users
.Request()
.Select("extension_[clientId]_AppUserId,extension_AppUserId,AppUserId")
.GetAsync();

Questions:

Is my workflow to store user info in Azure and return via token to the front-end (and therefore, API also) viable? Or should it be done some other way?
Is the API Connector actually saving data to the User in Azure? or is it just returning added claims without any persistence?
If not, do I need to save data to a user via Graph? And how can I do that in the API connector, if the user is not even actually created yet?

Thanks for your help! I've read a ton of documentation and tried a bunch of things over the past month and I'm still having trouble with this so I'd love for some more experienced insight.

Accepted answer

0 additional answers

Your answer

Answer 1

Hi @Matthew Cheah,

Thanks for reaching out.

Your understating is correct, and we can enrich token with claims using API connectors.

I am assuming you are using user flow to add custom attribute. Could you please confirm below:

Did you add the extension attribute extension_AppUserId through portal or through Graph API?
Are you enabling the API connector before creating the user or before including application claims in token? Is my workflow to store user info in Azure and return via token to the front-end (and therefore, API also) viable? Or should it be done some other way? Yes, your approach seems to be correct. You need to create custom claim in user attributes, enable the API connector and select the same in application claims to return the custom claim in the token.
1. Is the API Connector actually saving data to the User in Azure? or is it just returning added claims without any persistence? As in your case, API connector is calling before creating the user which will invoke API connector after the attribute collection page if any and query external API about the user to return it in the application token and store it in Azure AD B2C.
2. If not, do I need to save data to a user via Graph? And how can I do that in the API connector, if the user is not even actually created yet? Using Graph API, you can retrieve custom attribute using
3. https://graph.microsoft.com/v1.0/users/?$select=extension_{b2c-extensions-app-id-without-dashes}_AppUserId
4. Custom attributes (directory extensions) in the Microsoft Graph API are named by using the convention extension_{appId-without-hyphens}_{extensionProperty-name} where {appId-without-hyphens} is the stripped version of the appId (called Client ID on the Azure AD B2C portal) for the b2c-extensions-app.
5. When you create an extension attribute using Graph API, it is not added to the policy and usually created on an application other than b2c-extensions-app. When you create an extension attribute using Graph API, it is not added to the policy and usually created on an application other than b2c-extensions-app. You can use these properties directly in custom policies, but they will not appear in the portal and cannot be used in the policies created through the portal.
Also, Extensions are not returned by default. You need specify the extension in Select

   var user = await graphClient.Users["{GUID HERE}"]
           .Request()
           .Select("extension_extensionAppId_AppUserId")
           .GetResponseAsync();
   The value should be available through AdditionalData.
   var extValue = user.AdditionalData["extension_extensionAppId_AppUserId"];

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Matthew Cheah 46 Reputation points

2023-01-13T17:25:20.86+00:00

Thank you Shweta!
Bent Slåttsveen 0 Reputation points

2023-09-01T08:28:42.3466667+00:00

Hi, I dare to continue this blog because I have the same problem Matthew C. have (or had). I am using AD B2C User flow. I have created a User Attribute in the Azure portal, named "CustomerId", and added it to the "Application claims" in the flow. My API connector call is configured in "Before creating the user" step in the flow. My custom API is returning a json payload like this:

{ "version": "1.0.0", "action": "Continue", "extension_CustomerId": "e34b5f33-5151-492e-9763-d74957e4cfdd" }

What I expected AD B2C to do was to store this property (CustomerId=e34b5f33-5151-492e-9763-d74957e4cfdd) on the user object in Azure AD B2C - BUT this do not happen. At least I cannot see this property in the portal on the user. The property ARE included in the jwt token sent to the application in the end.

So I have these questions:
Am I assuming wrong when I expect AD B2C to automatically add my CustomerId attribute to the user object. If not what am I doing wrong?
Note: My api do not return extension_<app-id>_CustomerId. I have tried that but then my flow fails with status: clientError ApiTransactionResult: "{"errorMessage":"The claims exchange 'PreUserWriteRestful' specified in step '1' returned HTTP error response that could not be parsed.","httpStatus":"200","numberOfAttempts":1}"

If I assume wrong (B2C will not store my attribute in the user object), then I believe I have to use another custom api call configured in the flow step "Before including application claims in token (preview)" and update the user object (I hope is already created) with GraphApi.

I would appreciate some help to understand how to accomplish this or what I do wrong or not understand. I can't say the documentation and examples from MS explains this in a good way. Or maybe the B2C design is so complex it is difficult to document ;-)

Share via

AD B2C in .net core 6 api - How to save custom user attributes and return as claims in token?

0 additional answers

Your answer