ADB2C | Custom Policies and Refresh Token

Question

ADB2C | Custom Policies and Refresh Token

Abhay Chandramouli 1,056

Hi,

We have a login form which is the custom policy page on ADB2C. The login form has a Keep me signed in checkbox.

After logging in, the custom policy provides us an access token and refresh token. The checkbox value : true or false is send as part of a claim in the token.

so the access token has the claim "checkbox" as "true" when checked.

Now, when I hit the refresh token api, I get another refresh token and access token. This time the access token has the "checkbox" value as "false" - but the expected value is the same which should be "true"

Can you let me know how to achieve this ?

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-09-11T18:40:10.07+00:00

@Abhay Chandramouli

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

3 answers

Your answer

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-09-11T18:40:10.07+00:00

@Abhay Chandramouli

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Moderator

Hello @Abhay Chandramouli , the Azure AD B2C KMSI (keep me signed in) checkbox state is available only during interactive authentication requests. Requesting new tokens using a refresh token is done in a non-interactive way and thus will always return a false value for the aforementioned KMSI claim.

One potential woraround would involve adding a refresh token journey to your Custom Policy, passing the original issued token (with the KSMI claim set to true) as a query param, read it using claims resolvers, decoding it using a custom API and outputing the original KSMI value.

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Abhay Chandramouli 1,056 Reputation points

2023-09-06T09:03:58.57+00:00

Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA ,

the decoding using custom api - is this called on every sign in sign up journey ? or only when ref token is called ?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-09-06T15:50:16.92+00:00
API connector must be added to user flows or custom policies. You can them at any step in the user journey defined by a custom policy. For example, you can call a REST API:

During sign-in, just before Azure AD B2C validates the credentials.

Immediately after sign-in.

Before Azure AD B2C creates a new account in the directory.

After Azure AD B2C creates a new account in the directory.

Before Azure AD B2C issues an access token.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-10-14T02:54:06.79+00:00

Hello @Abhay Chandramouli , let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.
Sunilkumar Padhi 0 Reputation points

2023-10-14T05:00:34.8666667+00:00

Does it also need device code token for successful KMSI response? Abhay - How are you implementing this? Which tool or IDE?

Answer 2

khov vannak 0

~~your text~~

Answer 3

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

ADB2C | Custom Policies and Refresh Token

3 answers

Your answer