AAD B2C Custom Policies: How to read HTTP headers in the request to B2C?

Question

AAD B2C Custom Policies: How to read HTTP headers in the request to B2C?

Jason Lee 106

In a B2C custom policy, is there a way to read HTTP headers in the authorize request sent to B2C? I was hoping there is a claim resolver similar to how OAUTH-KV but I do not see any in the claim resolver documentation.

We need to do this to support forensic security investigations. We have a Front Door instance forwarding requests to our B2C instance as per Microsoft recommendations. This Front Door instance sends access logs to Azure Sentinel via Log Analytics. We have a requirement that any application authorizing with B2C be able to correlate an app's log entries to the FD access logs in Sentinel. Since B2C is behind Front Door, we want to include the the X-Azure-Ref header value (Front Door adds it to all requests) in the claims of tokens that B2C issues. Consuming applications can include the X-Azure-Ref in their logs to directly correlate them to Front Door auditing logs.

Thanks in advance!

Note: I'm posting this question in this forum since I haven't had a response yet in https://stackoverflow.com/questions/70886830/aad-b2c-custom-policies-how-to-read-http-headers-in-the-request-to-b2c

Answer 1

AmanpreetSingh-MSFT 55,406

Hi @Jason Lee • Thank you for reaching out.

Unfortunately, B2C does not have the capability to resolve and use the HTTP headers from authorize request. As a workaround, you can check if it can be passed as a query string, and then you can use OAuth2 key-value parameters to resolve it via B2C custom policy.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Jason Lee 106 Reputation points

2022-02-07T16:23:54.247+00:00

Thanks @AmanpreetSingh-MSFT . Yea, I've been unsuccessfully trying to find a good way to transform the request coming from Front Door to B2C to copy a header value (X-Azure-Ref) to a URL parameter. Do you have any thoughts on how to do that transformation? If I can do that, I can make use of B2C's OAUTH-KV . I can't find anything in Front Door to do that. The only thing I can think of is to proxy requests through an App Gateway and use rewrite rules, but that would be expensive, add an extra hop to the request, and won't scale up very well.
AmanpreetSingh-MSFT 55,406 Reputation points

2022-02-07T16:49:46.767+00:00

@Jason Lee • I have never tried that but I will try to do the transformation via Rules Engine and let you know if that works.
AmanpreetSingh-MSFT 55,406 Reputation points

2022-02-09T06:51:18.277+00:00

@Jason Lee • I checked on this with the Front Door product team and they confirmed that currently, it is not possible via Front Door. They will consider adding it to their roadmap but there is no ETA from their side as of now.
Jason Lee 106 Reputation points

2022-02-09T16:57:57.71+00:00

Ok, thanks for checking into this! :)

AAD B2C Custom Policies: How to read HTTP headers in the request to B2C?

0 additional answers

Activity