79334180

Date: 2025-01-06 19:57:34
Score: 0.5
Natty:
Report link

Introduction

In this post, I will share how to configure Azure AD B2C Custom Policies to dynamically generate a bearer or access token using a token endpoint. This is particularly useful for scenarios where you need to authenticate with a third-party system or API and retrieve dynamic access tokens.

Why This is Useful

Simplifies API authentication by automating token retrieval. Makes it easy to integrate with systems requiring OAuth 2.0 authentication. Enhances the capabilities of Azure AD B2C Custom Policies for advanced scenarios.

Key Concepts

Claims and Technical Profiles: Define claims to hold required values (e.g., client_id, client_secret) and use a Technical Profile to call the token URL. Service URL: Points to the OAuth token endpoint, typically in the format: https://login.microsoftonline.com/``/oauth2/token. Claims Transformation: Ensures that the received access token (bearerToken) can be used in subsequent steps. Step-by-Step Guide

Define Claim Types 1)Define the claims required for the token generation. Place this under the section of your custom policy XML:

<ClaimType Id="grant_type">
  <DisplayName>grant_type </DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="grant_type" />
  </DefaultPartnerClaimTypes>
</ClaimType>
<ClaimType Id="client_id">
  <DisplayName>Client ID</DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="client_id" />
  </DefaultPartnerClaimTypes>
</ClaimType>
<ClaimType Id="client_secret">
  <DisplayName>Client secret</DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="client_secret" />
  </DefaultPartnerClaimTypes>
</ClaimType>
<ClaimType Id="resource">
  <DisplayName>resource</DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="resource" />
  </DefaultPartnerClaimTypes>
</ClaimType>

Note :You can try by providing the values here or in the Technical profile as well it is up to you.

2) Create the Technical Profile This profile retrieves the access token from the token URL and stores it in the bearerToken claim. Place this under the section:

<TechnicalProfile Id="OAuth2BearerToken">
  <DisplayName>Get OAuth Bearer Token</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ServiceUrl">https://login.microsoftonline.com/<YourTeanantId>/oauth2/token</Item>
    <Item Key="HttpMethod">POST</Item>
    <Item Key="AuthenticationType">None</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="SendClaimsIn">Form</Item>
    <Item Key="Content-Type">application/x-www-form-urlencoded</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="client_id" PartnerClaimType="client_id" DefaultValue="Your_Client_Id" AlwaysUseDefaultValue="true" />
    <InputClaim ClaimTypeReferenceId="client_secret" PartnerClaimType="client_secret" DefaultValue="Your_Client_Secret" AlwaysUseDefaultValue="true" />
    <InputClaim ClaimTypeReferenceId="resource" PartnerClaimType="resource" DefaultValue="resource id (Optional)" AlwaysUseDefaultValue="true" />
    <InputClaim ClaimTypeReferenceId="grant_type" PartnerClaimType="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" DefaultValue="default token" />
  </OutputClaims>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
3) Integrate with the Orchestration Step Use the OAuth2BearerToken Technical Profile in your orchestration journey. For example:

<OrchestrationStep Order="1" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
      <Value>bearerToken</Value>
      <Value>NOT_EMPTY</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="GetBearerToken" TechnicalProfileReferenceId="OAuth2BearerToken" />
  </ClaimsExchanges>
</OrchestrationStep>

Tips and Best Practices

Always use secure methods to manage client_id and client_secret. Validate the token endpoint and ensure it adheres to OAuth 2.0 standards. Log outputs in development for debugging purposes but avoid exposing sensitive data.

Conclusion

By following these steps, you can dynamically generate bearer tokens in Azure AD B2C Custom Policies, simplifying secure integrations with external systems.

Same I have tried in Postman collection enter image description here Hope this helps :) Thanks, Vamsi Krishna Chaganti

Reasons:
  • Blacklisted phrase (0.5): Thanks
  • Whitelisted phrase (-1): Hope this helps
  • Contains signature (1):
  • Long answer (-1):
  • Has code block (-0.5):
  • Self-answer (0.5):
  • Low reputation (1):
Posted by: Vamsi Krishna