2

I am trying to have my custom B2C policy to communicate with my custom SignUp/SignIn API and authenticate via oauth2 bearer (not static bearer). I have followed the instructions found here: 1 (to the letter) but unable to get it working. I cannot get the custom policy to send the Authorization header with a bearer token to my API, unsure why.

Here is my configuration:

<ClaimsProvider>
      <DisplayName>REST APIs</DisplayName>
      <TechnicalProfiles>

        <!--OAUTH2.0 customization START-->
        <TechnicalProfile Id="REST-AcquireAccessToken">
          <DisplayName></DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="ServiceUrl">https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/token</Item>
            <Item Key="AuthenticationType">Basic</Item>
            <Item Key="SendClaimsIn">Form</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_SecureRESTClientId" />
            <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_SecureRESTClientSecret" />
          </CryptographicKeys>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" />
            <InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" />

          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
          </OutputClaims>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>
        <!--OAUTH2.0 customization END-->

   <TechnicalProfile Id="REST-GetProfile">
      <DisplayName>Get user extended profile Azure Function web hook</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <!-- Set the ServiceUrl with your own REST API endpoint -->
        <Item Key="ServiceUrl">https://url_to_API/api/SignIn?</Item>
        <Item Key="SendClaimsIn">Body</Item>
        <Item Key="AuthenticationType">Bearer</Item>
        <Item Key="UseClaimAsBearerToken">bearerToken</Item>
        <Item Key="AllowInsecureAuthInProduction">false</Item>
      </Metadata>
      <InputClaims>
        <!-- Claims sent to your REST API -->
        <InputClaim ClaimTypeReferenceId="bearerToken"/>
        <InputClaim ClaimTypeReferenceId="objectId" />
        <InputClaim ClaimTypeReferenceId="extension_MemberId" />
        <InputClaim ClaimTypeReferenceId="email" />
      </InputClaims>
      <OutputClaims>
        <!-- Claims parsed from your REST API -->
        <OutputClaim ClaimTypeReferenceId="extension_MemberId" PartnerClaimType="extension_MemberId"/>
        <OutputClaim ClaimTypeReferenceId="email" />            
      </OutputClaims>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

Something that was not mentioned in the documentation, but saw on a post, is you need to add an orchestration step in the signup/signin journey to call the "get an access token" - but not 100% sure it needs it.

  <OrchestrationStep Order="5" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange  Id="RESTGetAccessToken" TechnicalProfileReferenceId="REST-AcquireAccessToken" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="6" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="RESTGetProfile" TechnicalProfileReferenceId="REST-GetProfile" />
      </ClaimsExchanges>
    </OrchestrationStep>

I checked my API without Authorization configured and can see the custom B2C policy is calling it, but I can't see any evidence of a bearer token at all (looked at the Request.Headers in the c# code). Also, I am unsure how to configure my API Authorization side of things, that was also omitted in the documentation (unfortunately).

With the above, am I missing something? Should I see the Authorization header with a bearer token?

Any help is very much appreciated!

K Deman
  • 41
  • 2
  • have you tried calling both acquire access token and rest-get profile in the same orchestration step – kavyaS Oct 30 '21 at 04:23
  • I have but then I get an when trying to upload the policy.... error: 1 validation error(s) found in policy "B2C_1A_TRUSTFRAMEWORKEXTENSIONS" of tenant "mytenant.onmicrosoft.com".User journey "SignUpOrSignIn" in policy "B2C_1A_TrustFrameworkExtensions" of tenant "mytenant.onmicrosoft.com" has step 5 with 2 claims exchanges. It must be preceded by a claims provider selection in order to determine which claims exchange can be used. – K Deman Oct 30 '21 at 19:19
  • As you have tried calling both from same step, i think you may have to avoid calling token in the previous orchestration step(5).This error occurs when same id is used in the user journey more than once.Please check [this](https://stackoverflow.com/questions/63204123/aadb2c-custom-policy-local-and-social-account-sign-policy-with-split-email-ver) too. – kavyaS Nov 01 '21 at 13:36
  • I don't call it in a previous step though - so don't think that is the problem. Also looked in the Relying Party configuration - don't think I am doing anything wrong there either.... – K Deman Nov 02 '21 at 12:42

0 Answers0