How to pass refresh token of a third party IDP to the application via Azure AD B2C?

SamD 146 Reputation points
2020-08-26T07:40:32.273+00:00

I’m working on an application which can read files of a given OneDrive account.

We use Azure AD B2C as the identity provider. Users can login to the application using their Microsoft account. For that we have enabled Microsoft as an Identity Provider in my AAD B2C tenant.

When a given user is login using their Microsoft account, application should be able to get both access_token and refresh_token which enables us to communicate with MS Graph API, in order to fetch file details.

Using custom policies we were able to fetch access_token. However, we cannot fetch the refresh_token.

This is how ClaimsSchema is defined in TrustFrameworkExtensions.xml :

20439-screenshot-2020-08-26-at-130458.png

Also in the same file, under the TechnicalProfile of Microsoft login, following OutputClaims node is added (some child nodes are removed for clarity):

20347-screenshot-2020-08-26-at-130701.png

Then under the relevant RelyingParty node following OutputClaims node is added (some child nodes are removed for clarity):

20440-screenshot-2020-08-26-at-130821.png

According to documentation there is no claim resolver for refresh_token.

Any suggestion to get this work?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
955 questions
Azure Active Directory External Identities
No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 55,226 Reputation points
    2020-08-26T14:29:48.82+00:00

    Hello @SampathDilhan-7447

    To get both Access and Refresh tokens, you would need to federate MSA IDP via OAuth with B2C. As of now, for OIDC IDPs only Access Token is passed through.

    Please refer to below Technical Profile to add MSA IDP using OAuth:

    • Define Claim: <ClaimType Id="ms_access_token">
      <DisplayName>MS access token</DisplayName>
      <DataType>string</DataType>
      <UserHelpText>access token form 3rd party MS AD. </UserHelpText>
      </ClaimType>
      <ClaimType Id="ms_refresh_token">
      <DisplayName>MS Refresh token</DisplayName>
      <DataType>string</DataType>
      <UserHelpText>refresh token form 3rd party MS AD. </UserHelpText>
      </ClaimType>
    • Define Technical Profile: <ClaimsProvider>
      <Domain>live.com</Domain>
      <DisplayName>Microsoft Account</DisplayName>
      <TechnicalProfiles>
      <TechnicalProfile Id="MSA-OAuth">
      <DisplayName>Microsoft Account</DisplayName>
      <Protocol Name="OAuth2"/>
      <OutputTokenFormat>JWT</OutputTokenFormat>
      <Metadata>
      <Item Key="AccessTokenEndpoint">https://login.live.com/oauth20_token.srf</Item>
      <Item Key="authorization_endpoint">https://login.live.com/oauth20_authorize.srf</Item>
      <Item Key="ClaimsEndpoint">https://graph.microsoft.com/v1.0/me</Item>
      <Item Key="ClaimsEndpointAccessTokenName">access_token</Item>
      <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
      <Item Key="client_id">XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</Item>
      <Item Key="HttpBinding">POST</Item>
      <Item Key="scope">user.read offline_access</Item>
      <Item Key="UsePolicyInRedirectUri">0</Item>
      </Metadata>
      <CryptographicKeys>
      <Key Id="client_secret" StorageReferenceId="B2C_1A_MSASecret"/>
      </CryptographicKeys>
      <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="live.com" />
      <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
      <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="id"/>
      <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
      <OutputClaim ClaimTypeReferenceId="email" />
      <OutputClaim ClaimTypeReferenceId="ms_access_token" PartnerClaimType="{oauth2:access_token}"/>
      <OutputClaim ClaimTypeReferenceId="ms_refresh_token" PartnerClaimType="{oauth2:refresh_token}"/>
      </OutputClaims>
      <OutputClaimsTransformations>
      <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
      <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
      <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
      <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
      </TechnicalProfile>
      </TechnicalProfiles>
      </ClaimsProvider>

    This will return both Access and Refresh tokens, as highlighted below:
    20623-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful