does B2C custom policy supports self_signed_tls_client_auth for token_endpoint_auth_methods?

Occasional Visitor


I am trying to configure the Azure b2c custom policy to connect to external OIDC (OAuth2) claim providers.




however, this claim provider only supports self_signed_tls_client_auth for token_endpoint_auth_methods. This means when b2c tries to exchange auth_code for a token, it has to use a mutual TLS connection. I couldn't find any documentation on it so leaving my question here for help. thank you in advance.

1 Reply


yes, this feature is in public preview.


Customer can choose to set the following metadata parameters:

  • “token_endpoint_auth_method” metadata parameter to “private_key_jwt”.
  • “token_signing_algorithm” metadata parameter to “RS256” or “RS512”

And then supply the following cryptographic key:

  • assertion_signing_key


So the resulting Technical Profile would look something like this:

<TechnicalProfile Id="MSA-OIDC">
<DisplayName>Microsoft Account</DisplayName>
<Protocol Name="OpenIdConnect" />
<Item Key="ProviderName"></Item>
<Item Key="response_types">code</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="scope">openid profile email</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="client_id">Your Microsoft application client ID</Item>
<Item Key="token_endpoint_auth_method">private_key_jwt</Item>
<Item Key="token_signing_algorithm">RS256</Item>
<Key Id="assertion_signing_key" StorageReferenceId="B2C_1A_OIDCAssertionSigningKey" />
<InputClaim ClaimTypeReferenceId="domain_hint" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" />
Needless to say, you also need to create a Key named OIDCAssertionSigningKey in IEF Policy Keys and make sure you use the corresponding algorithm.