After Sign up/Sign In using Identity Provider like Microsoft or Google, how can I get email address to be publish in claim?

Question

Here, we have requirement where application need to use email address of user after successful signup/signin, for email based signup/signin, email address is already populated in jwt token, but in case of Identity Provider, where email address got stamped on othersEmail attribute in AD. we need to read the value exist in othersEmail attribute, which needs to be populate on jwt token as string (not StringCollection). Is there any way, by which we can process the othersEmail attribute value and populate email address of user in jwt token.

Answer 1

Hi @Deepak Singh , you can configure your Azure AD B2C policy to collect the othersEmail attribute from the identity provider and return it as a claim in the JWT token. Here are the high-level steps to achieve this:

1. In your Azure AD B2C tenant, create a user flow policy for sign-up and sign-in.
2. In the user flow policy, add the identity provider (e.g., Microsoft or Google) that you want to use for sign-up and sign-in.
3. In the user flow policy, under "User attributes and token claims", add the othersEmail attribute to the "Collect attribute" option.
4. In the user flow policy, under "Application claims", add a new claim for the email address. You can use the othersEmail attribute as the source for the email address claim.
5. In your application, configure the OpenID Connect middleware to request the email address claim from the Azure AD B2C policy. You can do this by adding the email address claim to the Scope property of the OpenIdConnectOptions object.

Here is an example of how to configure the OpenID Connect middleware in ASP.NET Core to request the email address claim:

services.AddAuthentication(options =>
{
    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    options.Authority = "https://your-tenant.b2clogin.com/your-tenant.onmicrosoft.com/B2C_1A_signup_signin";
    options.Audience = "your-client-id";
})
.AddOpenIdConnect(options =>
{
    options.Authority = "https://your-tenant.b2clogin.com/your-tenant.onmicrosoft.com/B2C_1A_signup_signin";
    options.ClientId = "your-client-id";
    options.ResponseType = "code";
    options.Scope.Add("openid");
    options.Scope.Add("profile");
    options.Scope.Add("email");
    options.CallbackPath = "/signin-oidc";
    options.SignedOutCallbackPath = "/signout-callback-oidc";
    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.TokenValidationParameters = new TokenValidationParameters
    {
        NameClaimType = "name",
        RoleClaimType = "role"
    };
});

In this example, the email scope is added to the OpenIdConnectOptions object to request the email address claim from the Azure AD B2C policy.

Once you have configured the OpenID Connect middleware to request the email address claim, you can access it in your application code using the ClaimsPrincipal object. Here is an example of how to get the email address claim in ASP.NET Core:

var email = User.FindFirstValue("emails");

The FindFirstValue method is used to get the value of the email address claim from the ClaimsPrincipal object.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you, James

Answer 2

Thank you James, this has been sorted now. As we are using Azure AD Custom policy, where we defined technical profiles for Social accounts, there we have added below line in Output claim. After which we had tested again and email id got populated as string in jwt token. which was the desired output.

<OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email" />