Share via

B2C Custom Policy - can a JWT be signed using HS256 algorithm

Nichlas Aagaard Larsen 25 Reputation points
Jan 4, 2024, 11:01 AM

Hello

I'm trying to accomplish the following using B2C custom policies:

  • Issue a JWT signed with a symmetric key using the HS256 algorithm.
  • When the token is decoded, then value of "alg" in the header should be "HS256"

The problem:

  • I've managed to issue a JWT using a symmetric key, but the value of "alg" is "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256" instead of "HS256"
  • Libraries and third parties that need to validate my token expects "alg" to be "HS256" and will therefore not accept the JWTs I currently issue

Questions:

  • Is it even possible to issue a JWT signed with HS256 using Azure B2C custom policies? Finding a direct answer for this is very difficult and after searching through the B2C documentation, different forum posts and a B2C deep dive pdf documentation (See link in the section below), answering this questions is very difficult as I find different answers (or atleast differents hints for different answers) depending on where I look.

B2C Deep Dive: https://download.microsoft.com/download/3/6/1/36187D50-A693-4547-848A-176F17AE1213/Deep%20Dive%20on%20Azure%20AD%20B2C%20Custom%20Policies/Azure%20AD%20B2C%20Custom%20Policies%20-%20Deep%20Dive%20on%20Custom%20Policy%20Schema.pdf

Searching globally in the pdf for "HS256" will take you to a section that implies signing using HS256 should be possible. Though it doesn't directly say that "HS256" will be the value of "alg" in the token header...

My current implementation:

In my policy keysets, I have the following keyset: B2C_1A_SymmetricSecret

"keys": [

		{

			"kid": "KidValue",

			"use": "sig",

			"key_ops": [

				"sign"

			],

			"kty": "oct"

		}

	]

And my tokenissuer technical profile in my custom policies look like this:

		
<ClaimsProvider>
	<DisplayName>JWT Issuer</DisplayName>
	<TechnicalProfiles>
		<TechnicalProfile Id="JwtIssuer">
			<DisplayName>JWT Issuer</DisplayName>
			<Protocol Name="None" />
			<OutputTokenFormat>JWT</OutputTokenFormat>
			<Metadata>
				<Item Key="client_id">{service:te}</Item>
				<Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
				<Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
			</Metadata>
			<CryptographicKeys>
				<Key Id="issuer_secret" StorageReferenceId="B2C_1A_SymmetricSecret"/>
				<Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
			</CryptographicKeys>
			<InputClaims />
			<OutputClaims />
		</TechnicalProfile>
	</TechnicalProfiles>
</ClaimsProvider>

This will result in a JWT where the value of "alg" in the header is "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"

Thank you for your help.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,129 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,149 questions
0 comments
Accepted answer
  1. Shweta Mathur 30,271 Reputation points Microsoft Employee
    Jan 8, 2024, 6:12 AM

    Hi @Nichlas Aagaard Larsen ,

    Thanks for reaching out.

    I understand you are looking to validate the token using HS256.

    For B2C tenant, the only supported token signing algorithm as of now is RS256.

    Check the JWT Token Issuer technical profile. It only supports RSA Key Pairs (RS256).

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.