stackoom
  简体   繁体   中英

Azure AD B2C Access token claims do not update after refreshing token

 原文  2020-08-13 09:58:19       azure/ active-directory/ azure-active-directory/ azure-ad-b2c/ azure-ad-graph-api

Question

We are using Azure AD B2C with our application. We authorize user using the API

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?client_id=<client-id-uuid>
&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Findex.html
&scope=openid%20offline_access%20https%3A%2F%2F{tenant}.onmicrosoft.com%2F<client-id-uuid>%2FUser.all
&response_type=code&prompt=login

using above we fetch the authorization_code.

This auth code is being used to authenticate the user with the application and fetch the access_token , refresh_token and id_token using

POST /{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token HTTP/1.1
Host: {tenant}.b2clogin.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=authorization_code&code={auth code received in previous step}
&scope=openid%20offline_access%20https%3A%2F%2F{tenant}.onmicrosoft.com%2F<client-id-uuid>%2FUser.all
&client_id={client id}&redirect_uri=localhost%253A4200%252Flogin.html%3A

after authentication the code is used for accessing various endpoints and azure functions. In hte process we need user attributes like email, display_name, country, etc information that user had input while singing up. Along with default attributes we have some custom attributes like team_name which is specific to our Web application use case. These attributes change over time.

For eg: person may switch team. thus we modify that in the user attribute using Graph APIs. so in that case if attribute team_name = 'Team ABC' now changes to team_name = 'Team XYZ'

But after the attributes are changed, the attributes do not reflect the new values in the access_token / refresh_token or id_token . Is there a way we can get the refreshed values in the tokens without re authorizing the user?

currently we fetch the user attributes from the Graph APIs but its faster and more convenient if we get refreshed values in the token.

1 answers

solution1
 2 ACCPTED  2020-08-21 18:52:04

Custom policy doesn't have a mechanism publicly documented to get new access token claims in refresh token flow. So what You have observe is expected

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to add custom claims to azure b2c access token? Generating access Token with loginRedirect in Azure AD B2C portal Azure AD B2C: AcquireTokenSilentAsync returns empty access token Azure AD B2C :: Roles claim is missing in access token Azure AD B2C Not getting Access Token Is enriching an Azure AD B2C Token with extra claims using an Azure Function app possible? Azure AD B2C - MSAL JS - Refreshing token yields AADB2C90055 Azure ad and Azure ad b2c token validation failure Azure Ad b2c: Get email in Claims after successfully Signin in azure ad b2c Could an Azure AD B2C custom policy theoretically produce a token from social IDP claims even without an Azure AD user?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM