Share via

How to get the AD B2C accesstoken with in custom policy and use that as bearer token for REST technical profile?

Gnana Sekhar 0 Reputation points
2023-12-06T09:04:44.1066667+00:00

I want to use the sign-in or sign-up custom policy generated JWT token to call one of my REST API which is configured to authenticate with the same B2C token in the next subsequest REST API technical profile in a user journey in the B2C custom policy? Is this use case possible?

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 27,221 Reputation points Microsoft Employee Moderator
    2023-12-06T19:12:38.11+00:00

    Hi @Gnana Sekhar , yes this should be possible.

    Here are the high-level steps to implement this use case:

    1. In your sign-in or sign-up custom policy, add a technical profile to issue a JWT token. You can use the JwtIssuer technical profile for this purpose. Make sure to include the necessary claims in the token, such as the user's object ID and any custom attributes you need to pass to the REST API.
    2. In your REST API, configure it to accept the JWT token as a bearer token and validate it. You can use the JwtIssuer technical profile to issue the token, so you can be sure that it is a valid token.
    3. In your B2C custom policy, add a REST technical profile to call your REST API. In the AuthenticationType element, set the value to Bearer. In the BearerToken element, set the value to {OIDC:JWT}. This will use the JWT token issued by the JwtIssuer technical profile as the bearer token for the REST API call.

    For example: 

    <TechnicalProfile Id="CallRestApi">
  <DisplayName>Call REST API</DisplayName>
  <Protocol Name="REST" />
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <Metadata>
    <Item Key="ServiceUrl">https://your-rest-api-url</Item>
    <Item Key="AuthenticationType">Bearer</Item>
    <Item Key="SendClaimsIn">Body</Item>
    <Item Key="BearerToken">{OIDC:JWT}</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="id" />
    <InputClaim ClaimTypeReferenceId="yourCustomAttribute" PartnerClaimType="yourCustomAttribute" />
  </InputClaims>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

    Note that you need to configure your REST API to accept the JWT token as a bearer token and validate it. You can use the JwtIssuer technical profile to issue the token, so you can be sure that it is a valid token. You also need to make sure that the necessary claims are included in the token.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.