search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.39k stars 341 forks source link

Azure AD B2C Application Claim is not processed unless it is also a User Attribute #3978

Closed gregoryagu closed 1 year ago

gregoryagu commented 1 year ago

Forgive me if this is not the right place to report this issue, but I have not found a better place.

The issue in a nutshell: I cannot get a "Custom Application Claim" to work correctly, unless I also make it a "User Attribute". The problem with this is that when it is also a "User Attribute, it shows up on the UI for the user to enter a value. However, this is not something that the End User should know about, or be able to change during signup (it's just a link to the user on our database, an ApplicationUserId).

Steps to reproduce:

  1. Create an Azure AD B2C directory.
  2. Under "User Attributes" create a custom attribute of "AppUserId"
  3. Create an API connector called "ValidateRegistration"
  4. In the default user flow, go to Application Claims and check the AppUserId custom Attribute and save it.
  5. Go to the UserFlow "B2C_1_susi"
  6. Select Application Claims, and select the AppUserId.
  7. Go to the AP Connectors of the User Flow and in "Before creating the user" select ValidateRegistration It's now been set up. The Webhook will return a custom claim of "extension_appUserId" with a value of 42 to Azure B2C. Azure B2C should then accept this value, and save it to the user profile. But it does not, and it does not get returned as a claim on signin.
  8. The workaround: In the user workflow, go to User Attributes. Select AppUserId and Save. Now run the workflow to Register a new user. The AppUserId will show up in the registration Dialog. When the user processed, the webhook will be called, and AppUserId will be returned and correctly saved to the Profile, and it will be returned as a claim.

But I don't want the user to see or modify the link back to the user in our system. Gapping security hole.
image

  1. Now, turn off the User Attribute and save. And try the workflow again after giving AD time to update. You will find that the custom claim is no longer working.

I have tested this over and over, and consistently get the same result.

Let me know if there is something I am doing wrong, but I have read the docs very carefully several times over to ensure all my ducks line up in a row.

gregoryagu commented 1 year ago

Another Interesting note is that if "Display Name" is checked as User Attribute, that it AD gets populated with the username as the default Display Name (if the user does not enter anything.)

But if it is not checked, the default Display Name becomes "Unknown", and is passed as null.

The desired behavior would be that the Display Name is set to the username as the default. "Unknown" does not make a good default name.

gladjohn commented 1 year ago

Hi @gregoryagu, I do not see a GitHub issue page for B2C. Suggest adding the question here https://learn.microsoft.com/en-us/answers/questions/ for Azure B2C