Created
September 20, 2021 02:10
-
-
Save rbrayb/549f61e87a96240a756775ce4c1274ba to your computer and use it in GitHub Desktop.
Hosting the id_token_hint well-known endpoint in Azure AD B2C itself
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
| <TrustFrameworkPolicy | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_Username_ProofUp_MLB2C" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_Username_ProofUp_MLB2C" | |
| DeploymentMode="Development" | |
| UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_TrustFrameworkExtensionsMFA</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="mail"> | |
| <DisplayName>Email Address</DisplayName> | |
| <DataType>string</DataType> | |
| <AdminHelpText>Email addresses of the user.</AdminHelpText> | |
| <UserHelpText>Your email addresses.</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="strongAuthenticationEmailAddress"> | |
| <DisplayName>Email Address</DisplayName> | |
| <DataType>string</DataType> | |
| <AdminHelpText>Email address that the user can use for strong authentication.</AdminHelpText> | |
| <UserHelpText>Email address to use for strong authentication.</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="signInNamesInfo.emailAddress"> | |
| <DisplayName>Email Address</DisplayName> | |
| <DataType>string</DataType> | |
| <AdminHelpText>Email address that the user can use to sign in.</AdminHelpText> | |
| <UserHelpText>Email address to use for signing in.</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="emails"> | |
| <DisplayName>Email Addresses</DisplayName> | |
| <DataType>stringCollection</DataType> | |
| <AdminHelpText>Email addresses of the user.</AdminHelpText> | |
| <UserHelpText>Your email addresses.</UserHelpText> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| <ClaimsTransformations> | |
| <ClaimsTransformation Id="CreateSubjectClaimFromObjectID" TransformationMethod="CreateStringClaim"> | |
| <InputParameters> | |
| <InputParameter Id="value" DataType="string" Value="Not supported currently. Use oid claim."/> | |
| </InputParameters> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="sub" TransformationClaimType="createdClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <ClaimsTransformation Id="CreateEmailsFromOtherMailsAndSignInNamesInfo" TransformationMethod="AddItemToStringCollection"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInNamesInfo.emailAddress" TransformationClaimType="item"/> | |
| <InputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <ClaimsTransformation Id="AddStrongAuthenticationEmailToEmails" TransformationMethod="AddItemToStringCollection"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" TransformationClaimType="item"/> | |
| <InputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| </ClaimsTransformations> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>Local Account Username</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserReadUsingUserName"> | |
| <Metadata> | |
| <Item Key="Operation">Read</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName"/> | |
| <OutputClaim ClaimTypeReferenceId="surname"/> | |
| <OutputClaim ClaimTypeReferenceId="signInName"/> | |
| <OutputClaim ClaimTypeReferenceId="mail"/> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication"/> | |
| <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromObjectID"/> | |
| </OutputClaimsTransformations> | |
| <IncludeTechnicalProfile ReferenceId="AAD-ReadCommon"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-ReadCommon"> | |
| <Metadata> | |
| <Item Key="Operation">Read</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName"/> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="otherMails"/> | |
| <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" PartnerClaimType="signInNames.emailAddress"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="CreateEmailsFromOtherMailsAndSignInNamesInfo"/> | |
| <OutputClaimsTransformation ReferenceId="AddStrongAuthenticationEmailToEmails"/> | |
| </OutputClaimsTransformations> | |
| <IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="IdTokenHint_Asymmetric_ExtractClaims"> | |
| <DisplayName>My ID Token Hint Asymmetric Technical Profile</DisplayName> | |
| <Protocol Name="None"/> | |
| <Metadata> | |
| <!-- Replace with your endpoint location --> | |
| <Item Key="METADATA">https://tenant.b2clogin.com/tenant.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1A_SIGNUP_SIGNIN_MLB2C</Item> | |
| <Item Key="IdTokenAudience">7bd30dbe...1d14760</Item> | |
| <Item Key="issuer">http://localhost:57408/</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="ProofUp_MagicLink_B2C"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="GetClaims" CpimIssuerTechnicalProfileReferenceId="IdTokenHint_Asymmetric_ExtractClaims"/> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="Read-WithUsername" TechnicalProfileReferenceId="AAD-UserReadUsingUserName"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| </UserJourneys> | |
| <RelyingParty> | |
| <DefaultUserJourney ReferenceId="ProofUp_MagicLink_B2C"/> | |
| <UserJourneyBehaviors> | |
| <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="xyz" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0"/> | |
| </UserJourneyBehaviors> | |
| <TechnicalProfile Id="PolicyProfile"> | |
| <DisplayName>PolicyProfile</DisplayName> | |
| <Protocol Name="OpenIdConnect"/> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName"/> | |
| <OutputClaim ClaimTypeReferenceId="surname"/> | |
| <OutputClaim ClaimTypeReferenceId="signInName"/> | |
| <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> | |
| <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="Local"/> | |
| <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}"/> | |
| </OutputClaims> | |
| <SubjectNamingInfo ClaimType="sub"/> | |
| </TechnicalProfile> | |
| </RelyingParty> | |
| </TrustFrameworkPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://medium.com/the-new-control-plane/hosting-the-id-token-hint-well-known-endpoint-in-azure-ad-b2c-itself-1c27be147613