B2C Custom Policy with TP OpenId Connect - IdTokenAudience - MultiApple scenario

Question

I have a custom policy with an OpenId Connect Technical Profile calling authorize and token endpoints from metadata Items to my custom API middleware which is used to redirect to Apple authenticathion endpoint/website so i can handle a multiApple solution within my custom Policy trying to Ignore client_id and IdTokenAudience. Microsoft documentation states:

But unfortunatelly the documentation is wrong and the TokenAudience is always validated after get sucessfully the Apple token and return the flow to B2C through the redirect_uri configured in Apple console for that clientId that I am able to pass through the Authorize endpoint in my API.

Can some B2C expert shed some light about ignore the IdTokenAudience in an OpenId Connect TP inside a Custom Policy?

Microsoft Reference document:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect-technical-profile

Thanks in advance!

Answer 1

Ok, i will answer my question. As stated by @Jas you cannot get rid of client_id because of security validations. So if someone is trying to implement such scenario, i will explain my approach:

1. Create a Technical Profile like this with client_id="myaudience" and use METADATA item to point to your custom OIDC microservice metadata. A B2C app clientId (B2C URL clientId) must be passed as input claim to handle diferent Apple client_id's depending on registered App:

     <TechnicalProfile Id="AppleID">
      <Protocol Name="OpenIdConnect" />
      <Metadata>
        <Item Key="METADATA">https://xxxxxxxx.ngrok.io/metadata?provider=apple</Item>
        <Item Key="HttpBinding">POST</Item> 
        <Item Key="response_types">code</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
        <Item Key="client_id">myaudience</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_MultiIDP" />
      </CryptographicKeys>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="groupId" />
        <InputClaim ClaimTypeReferenceId="appId" PartnerClaimType="clientId" DefaultValue="{OIDC:ClientId}" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="preferred_username" />
        <OutputClaim ClaimTypeReferenceId="displayName" DefaultValue="Apple user" />
        <OutputClaim ClaimTypeReferenceId="picture" PartnerClaimType="picture" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="apple.com" AlwaysUseDefaultValue="true" />
      </OutputClaims>
    </TechnicalProfile>
   

2. Your custom multi-IDP microservice will capture in the /authorize endpoint via queryString the clientId and should retrieve from a storage the Apple client_id, teamId, redirect_uri (same than Apple console), KeyId and Issuer corresponding to it.

3. your /authorize should redirect to the Apple authentication page and will prompt for your credentials.

4. After enter credentials and click on "continue" button your /token endpoint should be fired, at this point you need to retrieve the .p8 secret (Private Key) from a Key Vault to generate the token to be used with the code in the /token body. The client_id, client_secret and keyId should be overrided with your custom stored data.

5. After craft the token and build the data to send to Apple /token endpoint, retrieve the Apple final token with its access_token, id_token, refresh_token ..

6. At this point you need to return all this data to B2C but the audience will fail, so you need to recraft a new id_token before passing the control to B2C through the configured redirect_uri, also you can move the Claims coming from Apple to the new forged token. The secret key used to sign the new token must be configured before as a Policy Key (signature) in your B2C Identity Experience Framewrok. Refer to this doc for more info: https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect-technical-profile This secret is referenced as cryptographickey in the Technical Profile above as: B2C_1A_MultiIDP

7. Return the data from your microservice /token endpoint to B2C:

Thats all! Happy coding!

Answer 2

It’s being used as an override.

When this metadata item is not present, we make sure the audience matches the expected audience, client_id.

When it is specified, we make sure the aud claim matches what you state in the metadata item.

This never allows the verification to be turned off.