This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 61%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEL%3C/text%3E%3C/svg%3E)
I am integrating with an external identity provider using Custom Policies in B2C. The provider returns an ID token where one of the claims is a JSON array (note: not a stringified array!). There is no json data type in Custom Policies, so in the claims schema I used "string". When I try to output the claim in my Custom Policy, I either get the value of the input claim(1), or B2C crashes with no helpful error message.
Are JSON claims supported in Custom Policies? If so, how do I output them (or transform, then output)? The protocol is OpenIdConnect, so ResolveJsonPathsInJsonTokens doesn't work.
Example token:
{
"sub" : "Qk3QR84q9h7ruwRm39jjSh3gkZT2ZuJ1CAWrsoIn5sM",
"amr" : [ "TestID" ],
"iss" : "https://some-external-idp.com",
"pid" : "some-pid",
"locale" : "en",
"nonce" : "Mmi9PzMuxHSNam4C-pKdyII3dmBoNSnNXeeXsaXLj48",
"sid" : "803XSscIVmk40AXUGDNcXtWqTiZttvg8a5Q6HA_t2HE",
"aud" : "9a99e96d-b56c-4f74-a689-f936f71c8819",
"acr" : "substantial",
"authorization_details" : [ { // <- this is the claim I am interested in
"resource" : "a-resource-code",
"type" : "a-resource-type",
"resource_name" : "a-description",
"reportees" : [ {
"Authority" : "some-authority",
"ID" : "some-id-code" // (actually, it's this one, but one step at a time)
} ]
} ],
"auth_time" : 1661871859,
"exp" : 1661871982,
"iat" : 1661871862,
"jti" : "OabihA_O3XQ"
}
From framework extensions custom policy:
<ClaimType Id="myJsonArray">
<DisplayName>JSON claim from IDP</DisplayName>
<DataType>string</DataType>
</ClaimType>
[...]
<InputClaim ClaimTypeReferenceId="myJsonArray" PartnerClaimType="authorization_details" DefaultValue="[a static stringified json array]" />
[...]
<OutputClaim ClaimTypeReferenceId="myJsonArray" PartnerClaimType="authorization_details" />
From signin custom policy:
<OutputClaim ClaimTypeReferenceId="myJsonArray" PartnerClaimType="myOutputClaim" />
(1)The external IDP has an input parameter with the same name as the claim in question. I tried creating different input claim with a name collision, and thatworked fine. So I suspect the name is not the problem.
Hello @Erik Lydersen ,
Thanks for posting you query in the forums. From the above description I could see you are looking for assistance on the following queries (please correct me if I miss something):
I will be researching this and getting back to you.
Thanks,
Akshay Kaushik
Hi Akshay,
Thanks for your reply. I've been doing som digging, and there might be other issues causing this. authorization_details is "special" in OAuth2, and is supposed to be returned either on the top level (section 7 of the spec) or in the access token if it's a JWT (section 9.1). The external IDP returns it as a claim in the ID token, which is not mentioned in the spec. Not sure if this could cause issues? I would've thought that I could get the returned claim value anyway, but for some reason I can't. So maybe my question is: Why can't I access the returned authorization_details value? And my suggestions are A) because it's special and not used according to the spec B) because it's JSON or C) something else
Hopefully you can help shed some light on this.
Hello @ErikLydesen,
Thanks for clarifying the ask. This will help me in digging through.
Hi again,
Another discovery: I found out out that the access token from the external IDP is a JWT, and has a authorization_details claim which is a copy of the one on the ID token. If I could access the claim on this access token somehow, it would also be a solution to my problem.
Erik
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 28.999999999999996%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Hi Akshay,
I too have same issue.. need to fetch custom claim from external idp which is a JSON object value.
Appreciate a sample/response from microsoft. its easy to fetch the same custom claim from .net code using openid connect events.. and these claims are present in security.token or in payload comming back from external idp.
Microsoft should really work on improving this feature for B2C custom flow.