All geek questions in one place

How do I force Azure Active Directory authentication to force an id_token with updated claims?

We use Azure B2C to authenticate our users who are working fine. After registration, we add some user complaints to our users, which were defined in the B2C portal as "User attributes" using the api chart. When I enter the portal, I see that these values ​​were set by our calls, as well as some standard requirements values ​​(for example, we also set the display name by combining the givenName and lastName values).

The problem is that after these values ​​are set, they do not appear in the token obtained by sending the access token to the authentication endpoints until the user logs out and logs in again (which is obviously a pretty terrible user interface after registration). It looks like the original id_token is cached when the user is created, and this is what is returned.

This does not make sense, since it seems perfectly reasonable to allow the user to update his profile (requirements values) while entering the application and for changing these changes immediately without re-authentication?

Can someone explain how / if it is possible to force the cached id_token on the server to expire so that when requesting id_token using the access token, id_token contains the latest request values?

+6
source share
2 answers

So, after almost a month of waiting for an answer, the official line:

"The product group will determine that this is on the roadmap, even if we still do not have a final date when it will happen in a few months."

Thus, basically they did not recognize it as a mistake, and they cannot say when this scenario will be supported. Decent level of support, to be honest.

+1
source

The problem is that after these values ​​are set, they do not appear in the token obtained by sending the access token to the authentication endpoints until the user logs out and logs in again (which is obviously a pretty terrible user interface after registration).

Could you tell us the details of the request about how you get id_token?

Based on my test, I can get an id_token with an updated statement, as shown below:

1. enter the web application

2. Update the DisplayName using the Azure AD graph as shown below:

POST: https://graph.windows.net/xxxx.onmicrosoft.com/users/{userId}?api-version=1.6 { "displayName":"newValue" }

3. re-request id_token from OAuth2.0 Authorization endpoint using an HTTP request without statement / login (you can also commit an exact request using Fiddler when entering the application)

  GET:https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/authorize?client_id={clientId}&redirect_uri={redirectURL}&response_type=id_token&scope=email+openid&response_mode=query&nonce=HWUavSky1PksCJC5Q0xHsw%3d%3d&nux=1&nca=1&domain_hint={XXXX.onmicrosoft.com}

4. the value of the update request is displayed in the new id_token, as expected

To narrow down this problem, you can see if there is a cache for id_token in your application.

+4
source

Source: https://habr.com/ru/post/1012206/

More articles:


All Articles