Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

does B2C custom policy supports self_signed_tls_client_auth for token_endpoint_auth_methods?

Copper Contributor

Hi, 

I am trying to configure the Azure b2c custom policy to connect to external OIDC (OAuth2) claim providers.

 

e.g. tinyurl.com/4nkc2xzx 

 

however, this claim provider only supports self_signed_tls_client_auth for token_endpoint_auth_methods. This means when b2c tries to exchange auth_code for a token, it has to use a mutual TLS connection. I couldn't find any documentation on it so leaving my question here for help. thank you in advance.

1 Reply

@vshiyani 

yes, this feature is in public preview.

 

Customer can choose to set the following metadata parameters:

  • “token_endpoint_auth_method” metadata parameter to “private_key_jwt”.
  • “token_signing_algorithm” metadata parameter to “RS256” or “RS512”

And then supply the following cryptographic key:

  • assertion_signing_key

 

So the resulting Technical Profile would look something like this:

<TechnicalProfile Id="MSA-OIDC">
<DisplayName>Microsoft Account</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="ProviderName">https://login.live.com</Item>
<Item Key="response_types">code</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="scope">openid profile email</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="client_id">Your Microsoft application client ID</Item>
<Item Key="token_endpoint_auth_method">private_key_jwt</Item>
<Item Key="token_signing_algorithm">RS256</Item>
</Metadata>
<CryptographicKeys>
<Key Id="assertion_signing_key" StorageReferenceId="B2C_1A_OIDCAssertionSigningKey" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="domain_hint" DefaultValue="contoso.com" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="live.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" />
</OutputClaims>
</TechnicalProfile>
 
Needless to say, you also need to create a Key named OIDCAssertionSigningKey in IEF Policy Keys and make sure you use the corresponding algorithm.