@vshiyani
yes, this feature is in public preview.
Customer can choose to set the following metadata parameters:
- “token_endpoint_auth_method” metadata parameter to “private_key_jwt”.
- “token_signing_algorithm” metadata parameter to “RS256” or “RS512”
And then supply the following cryptographic key:
So the resulting Technical Profile would look something like this:
<TechnicalProfile Id="MSA-OIDC">
<DisplayName>Microsoft Account</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="response_types">code</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="scope">openid profile email</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="client_id">Your Microsoft application client ID</Item>
<Item Key="token_endpoint_auth_method">private_key_jwt</Item>
<Item Key="token_signing_algorithm">RS256</Item>
</Metadata>
<CryptographicKeys>
<Key Id="assertion_signing_key" StorageReferenceId="B2C_1A_OIDCAssertionSigningKey" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="domain_hint" DefaultValue="contoso.com" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="live.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" />
</OutputClaims>
</TechnicalProfile>
Needless to say, you also need to create a Key named OIDCAssertionSigningKey in IEF Policy Keys and make sure you use the corresponding algorithm.