Json claim in ID token from external IDP in custom policy
I am integrating with an external identity provider using Custom Policies in B2C. The provider returns an ID token where one of the claims is a JSON array (note: not a stringified array!). There is no json data type in Custom Policies, so in the claims schema I used "string". When I try to output the claim in my Custom Policy, I either get the value of the input claim(1), or B2C crashes with no helpful error message.
Are JSON claims supported in Custom Policies? If so, how do I output them (or transform, then output)? The protocol is OpenIdConnect, so ResolveJsonPathsInJsonTokens doesn't work.
Example token:
{
"sub" : "Qk3QR84q9h7ruwRm39jjSh3gkZT2ZuJ1CAWrsoIn5sM",
"amr" : [ "TestID" ],
"iss" : "https://some-external-idp.com",
"pid" : "some-pid",
"locale" : "en",
"nonce" : "Mmi9PzMuxHSNam4C-pKdyII3dmBoNSnNXeeXsaXLj48",
"sid" : "803XSscIVmk40AXUGDNcXtWqTiZttvg8a5Q6HA_t2HE",
"aud" : "9a99e96d-b56c-4f74-a689-f936f71c8819",
"acr" : "substantial",
"authorization_details" : [ { // <- this is the claim I am interested in
"resource" : "a-resource-code",
"type" : "a-resource-type",
"resource_name" : "a-description",
"reportees" : [ {
"Authority" : "some-authority",
"ID" : "some-id-code" // (actually, it's this one, but one step at a time)
} ]
} ],
"auth_time" : 1661871859,
"exp" : 1661871982,
"iat" : 1661871862,
"jti" : "OabihA_O3XQ"
}
From framework extensions custom policy:
<ClaimType Id="myJsonArray">
<DisplayName>JSON claim from IDP</DisplayName>
<DataType>string</DataType>
</ClaimType>
[...]
<InputClaim ClaimTypeReferenceId="myJsonArray" PartnerClaimType="authorization_details" DefaultValue="[a static stringified json array]" />
[...]
<OutputClaim ClaimTypeReferenceId="myJsonArray" PartnerClaimType="authorization_details" />
From signin custom policy:
<OutputClaim ClaimTypeReferenceId="myJsonArray" PartnerClaimType="myOutputClaim" />
(1)The external IDP has an input parameter with the same name as the claim in question. I tried creating different input claim with a name collision, and thatworked fine. So I suspect the name is not the problem.