You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/id-token-hint.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,25 +14,25 @@ ms.author: kengaderdus
14
14
ms.subservice: b2c
15
15
16
16
17
-
#Customer intent: As a developer integrating Azure AD B2C with a relying party application, I want to define an ID token hint technical profile, so that I can send a JWT token with a hint about the user or the authorization request. This allows me to validate the token and extract the claims for further processing.
17
+
#Customer intent: As a developer integrating Azure AD B2C with a relying party application, I want to define an ID token hint technical profile, so that I can send a JWT with a hint about the user or the authorization request. This allows me to validate the token and extract the claims for further processing.
18
18
19
19
---
20
20
21
21
# Define an ID token hint technical profile in an Azure Active Directory B2C custom policy
22
22
23
-
Azure AD B2C allows relying party applications to send an inbound JWT as part of the OAuth2 authorization request. The JWT token can be issued by a relying party application or an identity provider, and it can pass a hint about the user or the authorization request. Azure AD B2C validates the signature, issuer name, and token audience, and extracts the claim from the inbound token.
23
+
Azure AD B2C allows relying party applications to send an inbound JWT as part of the OAuth2 authorization request. The JWT can be issued by a relying party application or an identity provider, and it can pass a hint about the user or the authorization request. Azure AD B2C validates the signature, issuer name, and token audience, and extracts the claim from the inbound token.
24
24
25
25
## Use cases
26
26
27
-
You can use this solution to send data to Azure AD B2C encapsulated in a single JWT token. The [`Signup with email invitation` solution](https://github.com/azure-ad-b2c/samples/blob/master/policies/invite/README.md), where your system admin can send a signed invite to users, is based on id_token_hint. Only users with access to the invite email can create the account in the directory.
27
+
You can use this solution to send data to Azure AD B2C encapsulated in a single JWT. The [`Signup with email invitation` solution](https://github.com/azure-ad-b2c/samples/blob/master/policies/invite/README.md), where your system admin can send a signed invite to users, is based on id_token_hint. Only users with access to the invite email can create the account in the directory.
28
28
29
29
## Token signing approach
30
30
31
31
With id_token_hint, the token issuer (a relying party app or an identity provider) composes the token, and then signs it by using a signing key to prove the token comes from a trusted source. The signing key can be symmetric or asymmetric. Symmetric cryptography, or private key cryptography, uses a shared secret to both sign and validate the signature. Asymmetric cryptography, or public key cryptography, is a cryptographic system that uses both a private key and a public key. The private key is known only to the token issuer and is used to sign the token. The public key is shared with the Azure AD B2C policy to validate the signature of the token.
32
32
33
33
## Token format
34
34
35
-
The id_token_hint must be a valid JWT token. The following table lists the claims that are mandatory. Additional claims are optional.
35
+
The id_token_hint must be a valid JWT. The following table lists the claims that are mandatory. Additional claims are optional.
36
36
37
37
| Name | Claim | Example value | Description |
38
38
| ---- | ----- | ------------- | ----------- |
@@ -76,24 +76,24 @@ The technical profile is called from an orchestration step with type of `GetClai
76
76
77
77
## Output claims
78
78
79
-
The **OutputClaims** element contains a list of claims to be extracted from the JWT token. You may need to map the name of the claim defined in your policy to the name defined in the JWT token. You can also include claims that aren't returned by the JWT token, as long as you set the `DefaultValue` attribute.
79
+
The **OutputClaims** element contains a list of claims to be extracted from the JWT. You may need to map the name of the claim defined in your policy to the name defined in the JWT. You can also include claims that aren't returned by the JWT, as long as you set the `DefaultValue` attribute.
80
80
81
81
## Metadata
82
82
83
83
The following metadata is relevant when using symmetric key.
84
84
85
85
| Attribute | Required | Description |
86
86
| --------- | -------- | ----------- |
87
-
| issuer | Yes | Identifies the security token service (token issuer). This value must be identical to the `iss` claim within the JWT token claim. |
88
-
| IdTokenAudience | Yes | Identifies the intended recipient of the token. Must be identical to the `aud` claim within the JWT token claim. |
87
+
| issuer | Yes | Identifies the security token service (token issuer). This value must be identical to the `iss` claim within the JWT claim. |
88
+
| IdTokenAudience | Yes | Identifies the intended recipient of the token. Must be identical to the `aud` claim within the JWT claim. |
89
89
90
90
The following metadata is relevant when using an asymmetric key.
91
91
92
92
| Attribute | Required | Description |
93
93
| --------- | -------- | ----------- |
94
94
| METADATA| Yes | A URL that points to a token issuer configuration document, which is also known as an OpenID well-known configuration endpoint. |
95
-
| issuer | No | Identifies the security token service (token issuer). This value can be used to overwrite the value configured in the metadata, and must be identical to the `iss` claim within the JWT token claim. |
96
-
| IdTokenAudience | No | Identifies the intended recipient of the token. Must be identical to the `aud` claim within the JWT token claim. |
95
+
| issuer | No | Identifies the security token service (token issuer). This value can be used to overwrite the value configured in the metadata, and must be identical to the `iss` claim within the JWT claim. |
96
+
| IdTokenAudience | No | Identifies the intended recipient of the token. Must be identical to the `aud` claim within the JWT claim. |
0 commit comments