Share via

Error when adding claim that contains json to custom policy in Azure AD B2C

Klaus Zachariassen 0 Reputation points
2024-01-17T16:52:40.9633333+00:00

I have added Salesforce as IdP to Azure AD B2C using the OpenIdConnect protocol. And it works fine. In the token from Salesforce I get a claim of type "custom_attributes":

  "custom_attributes": {
    "UserRoleName": "SC Management"
  }

I now want to add that claim to the policy in B2C. I add a "custom_attributes" ClaimType and add the claim as OutputClaim to to the ClaimsProvider and the RelyingParty (see below). When I test it, it fails and I find the following error in traces: "An unexpected type "Newtonsoft.Json.Linq.JObject" was encountered of the claim with claim type id "custom_attributes"." How can I fix this error? Policy changes: In TrustFrameworkBase I add:

  <BuildingBlocks>
    <ClaimsSchema>
=>    <ClaimType Id="custom_attributes">
        <DisplayName>custom_attributes</DisplayName>
        <DataType>string</DataType>     
        <DefaultPartnerClaimTypes>        
          <Protocol Name="OpenIdConnect" PartnerClaimType="custom_attributes" />         
        </DefaultPartnerClaimTypes>             
      </ClaimType>
      ...
    </ClaimsSchema>
    ...
  </BuildingBlocks>

In TrustFrameworkExtensions I add:

  <ClaimsProviders>
    <ClaimsProvider>
      <Domain>salesforce.com</Domain>
      <DisplayName>Salesforce</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="Salesforce-OpenIdConnect">
          <OutputClaims>
=>          <OutputClaim ClaimTypeReferenceId="custom_attributes" PartnerClaimType="custom_attributes" />
            ...
          </OutputClaims>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
  </ClaimsProviders>

In SignUpOrSignin I add:

  <RelyingParty>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
=>      <OutputClaim ClaimTypeReferenceId="custom_attributes"  PartnerClaimType="custom_attributes" />
        ...
      </OutputClaims>
    </TechnicalProfile Id="PolicyProfile">
  </RelyingParty>

When I try to do the exact same thing with a claim that just contains text (not in json format) then it works. Instead of passing the "custom_attributes" claim the whole way through to RelyingParty, I have tried to create a ClaimsTransform instead (it picks "UserRoleName" out of the token) . When I add that transform to ClaimsProvider and remove the "custom_attributes" claim as OutputClaim, I get the error: "A Claim of ClaimType with id "custom_attributes" was not found".
When I then put "custom_attributes" back as OutputClaim I'm back to the "An unexpected type..." error.

Microsoft Security Microsoft Entra Microsoft Entra External ID
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Entra Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Klaus Zachariassen 0 Reputation points
    2024-01-17T21:08:57.46+00:00

    Thanks for the swift reply.
    I have tracing in App insights and when I look into the trace that contains the error message, I can see this:

    "Salesforce-OpenIdConnect": {
  "ContentType": "Jwt",
  "Created": "2024-01-17T20:31:31.8386838Z",
  "Key": "Salesforce-OpenIdConnect",
  "Persistent": true,
  "Value": "eyJraWQiOiIyNDgiLCJ0eXAiOiJKV1C<I deleted the rest>;2;Salesforce-OpenIdConnect;False"
}

    If I put the token into jwt.io, I get:

    {
  ...
  "custom_attributes": {
    "UserRoleName": "SC Management"
  },
  ...
}

    which looks rather well-formed to me.

    I'll send you a mail to create a support case.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.