question

SamD2707 avatar image
0 Votes"
SamD2707 asked MiloradSavcic-9852 commented

How to pass refresh token of a third party IDP to the application via Azure AD B2C?

I’m working on an application which can read files of a given OneDrive account.

We use Azure AD B2C as the identity provider. Users can login to the application using their Microsoft account. For that we have enabled Microsoft as an Identity Provider in my AAD B2C tenant.

When a given user is login using their Microsoft account, application should be able to get both access_token and refresh_token which enables us to communicate with MS Graph API, in order to fetch file details.

Using custom policies we were able to fetch access_token. However, we cannot fetch the refresh_token.

This is how ClaimsSchema is defined in TrustFrameworkExtensions.xml :

20439-screenshot-2020-08-26-at-130458.png

Also in the same file, under the TechnicalProfile of Microsoft login, following OutputClaims node is added (some child nodes are removed for clarity):

20347-screenshot-2020-08-26-at-130701.png

Then under the relevant RelyingParty node following OutputClaims node is added (some child nodes are removed for clarity):

20440-screenshot-2020-08-26-at-130821.png

According to documentation there is no claim resolver for refresh_token.

Any suggestion to get this work?


azure-ad-b2cadfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered MiloradSavcic-9852 commented

Hello @SampathDilhan-7447

To get both Access and Refresh tokens, you would need to federate MSA IDP via OAuth with B2C. As of now, for OIDC IDPs only Access Token is passed through.

Please refer to below Technical Profile to add MSA IDP using OAuth:

  • Define Claim:

    <ClaimType Id="ms_access_token">
    <DisplayName>MS access token</DisplayName>
    <DataType>string</DataType>
    <UserHelpText>access token form 3rd party MS AD. </UserHelpText>
    </ClaimType>
    <ClaimType Id="ms_refresh_token">
    <DisplayName>MS Refresh token</DisplayName>
    <DataType>string</DataType>
    <UserHelpText>refresh token form 3rd party MS AD. </UserHelpText>
    </ClaimType>

  • Define Technical Profile:

    <ClaimsProvider>
    <Domain>live.com</Domain>
    <DisplayName>Microsoft Account</DisplayName>
    <TechnicalProfiles>
    <TechnicalProfile Id="MSA-OAuth">
    <DisplayName>Microsoft Account</DisplayName>
    <Protocol Name="OAuth2"/>
    <OutputTokenFormat>JWT</OutputTokenFormat>
    <Metadata>
    <Item Key="AccessTokenEndpoint">https://login.live.com/oauth20_token.srf</Item>;
    <Item Key="authorization_endpoint">https://login.live.com/oauth20_authorize.srf</Item>;
    <Item Key="ClaimsEndpoint">https://graph.microsoft.com/v1.0/me</Item>;
    <Item Key="ClaimsEndpointAccessTokenName">access_token</Item>
    <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
    <Item Key="client_id">XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="scope">user.read offline_access</Item>
    <Item Key="UsePolicyInRedirectUri">0</Item>
    </Metadata>
    <CryptographicKeys>
    <Key Id="client_secret" StorageReferenceId="B2C_1A_MSASecret"/>
    </CryptographicKeys>
    <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="live.com" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
    <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="id"/>
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="email" />
    <OutputClaim ClaimTypeReferenceId="ms_access_token" PartnerClaimType="{oauth2:access_token}"/>
    <OutputClaim ClaimTypeReferenceId="ms_refresh_token" PartnerClaimType="{oauth2:refresh_token}"/>
    </OutputClaims>
    <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
    <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
    <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
    <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
    </OutputClaimsTransformations>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
    </TechnicalProfile>
    </TechnicalProfiles>
    </ClaimsProvider>

This will return both Access and Refresh tokens, as highlighted below:
20623-image.png


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (35.5 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much for the excellent answer @amanpreetsingh-msft ! This worked for me with very minor modifications.

  1. Had to remove three semicolons in the xml.

  2. Instead of socialIdpUserId , I had to use issuerUserId as the ClaimTypeReferenceId in above code block.

Cheers!








0 Votes 0 ·

@SampathDilhan-7447 Thank you for the confirmation. I don't see the semicolons while trying to edit the answer, may be it's an issue with the platform. I have older version of Starter Pack in my lab which is why socialIdpUserId worked for me. In the newer starter packs, socialIdpUserId is replaced with issuerUserId.

0 Votes 0 ·

What do the PartnerClaim types reference here, the access_token claims, the id_token claims or somethign third?

When I put the PartnerClaim type to be tid (this is contained in both the access_token and the id_token) I do not get a value, however referencing givenName I get a value even though displayName is not a claim in neither the access_token nor the id_token.

Where is this documented?

0 Votes 0 ·

I have found the relevant Microsoft documentation, there is a claims endpoint which is called as part of the OAuth2 Technical Profile, the response is the source of the claims. In order for this call to be made two calls need to be made to the standard endpoints /authorize and /token (this is the OAuth2 authorization code flow)

https://docs.microsoft.com/en-us/azure/active-directory-b2c/oauth2-technical-profile#user-info-endpoint-metadata

0 Votes 0 ·