Define an OAuth1 technical profile in an Azure Active Directory B2C custom policy
Note
In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. For most scenarios, we recommend that you use built-in user flows. If you've not done so, learn about custom policy starter pack in Get started with custom policies in Active Directory B2C.
Azure Active Directory B2C (Azure AD B2C) provides support for the OAuth 1.0 protocol identity provider. This article describes the specifics of a technical profile for interacting with a claims provider that supports this standardized protocol. With an OAuth1 technical profile, you can federate with an OAuth1 based identity provider, such as X. Federating with the identity provider allows users to sign in with their existing social or enterprise identities.
Protocol
The Name attribute of the Protocol element needs to be set to OAuth1. For example, the protocol for the Twitter-OAUTH1 technical profile is OAuth1.
<TechnicalProfile Id="Twitter-OAUTH1">
<DisplayName>X</DisplayName>
<Protocol Name="OAuth1" />
...
Input claims
The InputClaims and InputClaimsTransformations elements are empty or absent.
Output claims
The OutputClaims element contains a list of claims returned by the OAuth1 identity provider. You may need to map the name of the claim defined in your policy to the name defined in the identity provider. You can also include claims that aren't returned by the identity provider as long as you set the DefaultValue attribute.
The OutputClaimsTransformations element may contain a collection of OutputClaimsTransformation elements that are used to modify the output claims or generate new ones.
The following example shows the claims returned by the X identity provider:
- The user_id claim that is mapped to the issuerUserId claim.
- The screen_name claim that is mapped to the displayName claim.
- The email claim without name mapping.
The technical profile also returns claims that aren't returned by the identity provider:
- The identityProvider claim that contains the name of the identity provider.
- The authenticationSource claim with a default value of
socialIdpAuthentication.
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="user_id" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="screen_name" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="twitter.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
</OutputClaims>
Metadata
| Attribute | Required | Description |
|---|---|---|
| client_id | Yes | The application identifier of the identity provider. |
| ProviderName | No | The name of the identity provider. |
| request_token_endpoint | Yes | The URL of the request token endpoint as per RFC 5849. |
| authorization_endpoint | Yes | The URL of the authorization endpoint as per RFC 5849. |
| access_token_endpoint | Yes | The URL of the token endpoint as per RFC 5849. |
| ClaimsEndpoint | No | The URL of the user information endpoint. |
| ClaimsResponseFormat | No | The claims response format. |
Cryptographic keys
The CryptographicKeys element contains the following attribute:
| Attribute | Required | Description |
|---|---|---|
| client_secret | Yes | The client secret of the identity provider application. |
Redirect URI
When you configure the redirect URI of your identity provider, enter https://{tenant-name}.b2clogin.com/{tenant-name}.onmicrosoft.com/{policy-id}/oauth1/authresp. Make sure to replace {tenant-name} with your tenant's name (for example, contosob2c) and {policy-id} with the identifier of your policy (for example, b2c_1a_policy). The redirect URI needs to be in all lowercase. Add a redirect URL for all policies that use the identity provider login.
Examples: