Forum Discussion

vshiyani's avatar
vshiyani
Copper Contributor
Apr 21, 2022

does B2C custom policy supports self_signed_tls_client_auth for token_endpoint_auth_methods?

Hi, 

I am trying to configure the Azure b2c custom policy to connect to external OIDC (OAuth2) claim providers.

 

e.g. tinyurl.com/4nkc2xzx 

 

however, this claim provider only supports self_signed_tls_client_auth for token_endpoint_auth_methods. This means when b2c tries to exchange auth_code for a token, it has to use a mutual TLS connection. I couldn't find any documentation on it so leaving my question here for help. thank you in advance.

Azure AD B2C

1 Reply

Sort By
  • haelshab's avatar
    haelshab
    Icon for Microsoft rankMicrosoft
    Apr 26, 2022

    vshiyani 

    yes, this feature is in public preview.

     

    Customer can choose to set the following metadata parameters:

    • “token_endpoint_auth_method” metadata parameter to “private_key_jwt”.
    • “token_signing_algorithm” metadata parameter to “RS256” or “RS512”

    And then supply the following cryptographic key:

    • assertion_signing_key

     

    So the resulting Technical Profile would look something like this:

    <TechnicalProfile Id="MSA-OIDC">
    <DisplayName>Microsoft Account</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <Metadata>
    <Item Key="ProviderName">https://login.live.com</Item>
    <Item Key="response_types">code</Item>
    <Item Key="response_mode">form_post</Item>
    <Item Key="scope">openid profile email</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="client_id">Your Microsoft application client ID</Item>
    <Item Key="token_endpoint_auth_method">private_key_jwt</Item>
    <Item Key="token_signing_algorithm">RS256</Item>
    </Metadata>
    <CryptographicKeys>
    <Key Id="assertion_signing_key" StorageReferenceId="B2C_1A_OIDCAssertionSigningKey" />
    </CryptographicKeys>
    <InputClaims>
    <InputClaim ClaimTypeReferenceId="domain_hint" DefaultValue="contoso.com" />
    </InputClaims>
    <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="live.com" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
    <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="email" />
    </OutputClaims>
    </TechnicalProfile>
     
    Needless to say, you also need to create a Key named OIDCAssertionSigningKey in IEF Policy Keys and make sure you use the corresponding algorithm.

Resources