Calling Token Endpoint of B2C Custom Policy

Anand Patil 45 Reputation points
2024-06-27T08:58:47.2166667+00:00

I have an Azure AD B2C Custom Policy. I have the urls' for all of its endpoints.

In this policy, in the 'TrustFrameworkExtensions' xml, I want to integrate the 'Token' REST endpoint for this policy itself.

First of all, is it doable ?
I am trying to do the same, however the technical profile I have defined for this 'Token' endpoint is not getting called successfully. I get an error 'Bad Request'.
Need some quick pointers for the same. An example of the Technical policy for this scenario will be really helpful.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,765 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,566 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Q&A Assist
    2024-06-27T08:58:47.24+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes, it is possible to integrate the Token REST endpoint for your Azure AD B2C custom policy. In your TrustFrameworkExtensions.xml file, you can define a new RESTful technical profile for the Token endpoint by using the following code:

    <TechnicalProfile Id="TokenEndpoint">
      <DisplayName>Token Endpoint</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputTokenFormat>JWT</OutputTokenFormat>
      <Metadata>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="response_types">code</Item>
        <Item Key="grant_type">authorization_code</Item>
        <Item Key="scope">openid</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
        <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
        <Item Key="client_id">{client_id}</Item>
        <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="authorizationCode" />
        <InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="id_token" />
        <OutputClaim ClaimTypeReferenceId="access_token" />
        <OutputClaim ClaimTypeReferenceId="refresh_token" />
        <OutputClaim ClaimTypeReferenceId="expires_in" />
        <OutputClaim ClaimTypeReferenceId="token_type" DefaultValue="Bearer" />
      </OutputClaims>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
    </TechnicalProfile>
    

    You can then call the Token endpoint by using the OAuth2 technical profile. Here's an example of how to do that:

    <TechnicalProfile Id="OAuth2-Token">
      <DisplayName>OAuth2 Token</DisplayName>
      <Protocol Name="OAuth2" />
      <Metadata>
        <Item Key="AccessTokenEndpoint">{your_token_endpoint_url}</Item>
        <Item Key="authorization_endpoint">{your_authorization_endpoint_url}</Item>
        <Item Key="ClaimsEndpoint">{your_claims_endpoint_url}</Item>
        <Item Key="ClientId">{your_client_id}</Item>
        <Item Key="ClientSecret">{your_client_secret}</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="response_types">code</Item>
        <Item Key="grant_type">authorization_code</Item>
        <Item Key="scope">openid</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
        <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
        <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="authorizationCode" />
        <InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="id_token" />
        <OutputClaim ClaimTypeReferenceId="access_token" />
        <OutputClaim ClaimTypeReferenceId="refresh_token" />
        <OutputClaim ClaimTypeReferenceId="expires_in" />
        <OutputClaim ClaimTypeReferenceId="token_type" DefaultValue="Bearer" />
      </OutputClaims>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
    </TechnicalProfile>
    

    Make sure to replace the {your_token_endpoint_url}, {your_authorization_endpoint_url}, {your_claims_endpoint_url}, {your_client_id}, and {your_client_secret} placeholders with the actual values for your custom policy.

    References:


  2. Akshay-MSFT 17,656 Reputation points Microsoft Employee
    2024-06-27T10:05:14.16+00:00

    @Anand Patil

    Azure Active Directory B2C (Azure AD B2C) custom policy allows you to interact with application logic that you implement outside of Azure AD B2C. You make an HTTP call to an endpoint. Azure AD B2C custom policies provide RESTful technical profile for this purpose. By using this capability, you can implement features that aren't available within Azure AD B2C custom policy.

    So the recommendation is to call service API endpoint outside of B2C and not within B2C.

    You may try following Call a REST API by using Azure Active Directory B2C custom policy tutorial but for a non B2C endpoint.

    If you don't have any further queries and the suggestion above answers your ask, please "Accept the answer", This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    0 comments No comments