MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/TOC.yml
Lines changed: 4 additions & 6 deletions b/‎articles/active-directory-b2c/TOC.yml
Lines changed: 4 additions & 6 deletions
diff --git a/‎articles/active-directory-b2c/active-directory-technical-profile.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory-b2c/active-directory-technical-profile.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory-b2c/custom-policy-rest-api-claims-exchange.md
Lines changed: 132 additions & 176 deletions b/‎articles/active-directory-b2c/custom-policy-rest-api-claims-exchange.md
Lines changed: 132 additions & 176 deletions
diff --git a/‎articles/active-directory-b2c/custom-policy-rest-api-claims-validation.md
Lines changed: 9 additions & 23 deletions b/‎articles/active-directory-b2c/custom-policy-rest-api-claims-validation.md
Lines changed: 9 additions & 23 deletions
diff --git a/‎articles/active-directory-b2c/custom-policy-rest-api-intro.md
Lines changed: 182 additions & 0 deletions b/‎articles/active-directory-b2c/custom-policy-rest-api-intro.md
Lines changed: 182 additions & 0 deletions
@@ -233,18 +233,16 @@
         href: direct-signin.md
     - name: Add your own business logic
       items:
+      - name: Integrate REST API
+        href: custom-policy-rest-api-intro.md
       - name: Validate user input
         href: custom-policy-rest-api-claims-validation.md
         displayName: rest claims validation, validate
       - name: Obtain additional claims
         href: custom-policy-rest-api-claims-exchange.md
         displayName: rest claims exchange
-      - name: Add your own RESTful API
-        href: rest-api-claims-exchange-dotnet.md
-      - name: Secure RESTful APIs with basic auth
-        href: secure-rest-api-dotnet-basic-auth.md
-      - name: Secure RESTful APIs with certificate auth
-        href: secure-rest-api-dotnet-certificate-auth.md
+      - name: Secure REST API
+        href: secure-rest-api.md
     - name: Define custom attributes
       href: custom-policy-custom-attributes.md
     - name: Troubleshooting
 
@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/24/2020
+ms.date: 03/26/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -251,7 +251,7 @@ The following technical profile deletes a social user account using **alternativ
 | ClientId | No | The client identifier for accessing the tenant as a third party. For more information, see [Use custom attributes in a custom profile edit policy](custom-policy-custom-attributes.md) |
 | IncludeClaimResolvingInClaimsHandling  | No | For input and output claims, specifies whether [claims resolution](claim-resolver-overview.md) is included in the technical profile. Possible values: `true`, or `false` (default). If you want to use a claims resolver in the technical profile, set this to `true`. |
 
-### Error messages
+### UI elements
 
 The following settings can be used to configure the error message displayed upon failure. The metadata should be configured in the [self-asserted](self-asserted-technical-profile.md) technical profile. The error messages can be [localized](localization.md).
 
 
@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 03/16/2020
+ms.date: 03/26/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -18,28 +18,16 @@ ms.subservice: B2C
 
 [!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
 
-The Identity Experience Framework (IEF) that underpins Azure Active Directory B2C (Azure AD B2C) enables identity developers to integrate an interaction with a RESTful API in a user journey.
+The Identity Experience Framework (IEF) that underpins Azure Active Directory B2C (Azure AD B2C) enables identity developers to integrate an interaction with a RESTful API in a user journey.  At the end of this walkthrough, you'll be able to create an Azure AD B2C user journey that interacts with [RESTful services](custom-policy-rest-api-intro.md) to validate user input.
 
-At the end of this walkthrough, you will be able to create an Azure AD B2C user journey that interacts with RESTful services.
-
-IEF can send data that has been stored in a claims bag during a user journey to your REST API. It can also parse JSON responses received from the REST API into the Azure AD B2C claim bag. The interaction with the API:
-
-- Can be designed as a REST API claims exchange called from an orchestration step, or as a [validation technical profile](validation-technical-profile.md) called from within a [self asserted technical profile](self-asserted-technical-profile.md).
-- Typically validates input from the user. If the value from the user is rejected, the user can try again to enter a valid value with the opportunity to return an error message.
+In this scenario, we'll add the ability for users to enter a loyalty number into the Azure AD B2C sign-up page. We'll validate whether this combination of email and loyalty number is mapped to a promotional code by sending this data to a REST API. If the REST API finds a promotional code for this user, it will be returned to Azure AD B2C. Finally, the promotional code will be inserted into the token claims for the application to consume.
 
 You can also design the interaction as an orchestration step. This is suitable when the REST API will not be validating data on screen, and always return claims. For more information, see [Walkthrough: Integrate REST API claims exchanges in your Azure AD B2C user journey as an orchestration step](custom-policy-rest-api-claims-exchange.md).
 
-For the validation profile example, we will use the profile edit user journey in the starter pack file ProfileEdit.xml.
-
-We can verify that the name provided by the user in the profile edit is not part of an exclusion list.
-
-## Scenario
-
-In this scenario, we'll add the ability for users to enter a loyalty number into the Azure AD B2C sign-up page. We'll validate whether this combination of email and loyalty number is mapped to a promotional code by sending this data to a REST API. If the REST API finds a promotional code for this user, it will be returned to Azure AD B2C. Finally, the promotional code will be inserted into the token claims for the application to consume.
-
 ## Prerequisites
 
-Complete the steps in [Get started with custom policies](custom-policy-get-started.md). You should have a working custom policy for sign-up and sign-in with local accounts.
+- Complete the steps in [Get started with custom policies](custom-policy-get-started.md). You should have a working custom policy for sign-up and sign-in with local accounts.
+- Learn how to [Integrate REST API claims exchanges in your Azure AD B2C custom policy](custom-policy-rest-api-intro.md).
 
 ## Prepare a REST API endpoint
 
@@ -110,7 +98,7 @@ A [Restful technical profile](restful-technical-profile.md) provides support for
   <DisplayName>REST APIs</DisplayName>
   <TechnicalProfiles>
     <TechnicalProfile Id="REST-ValidateProfile">
-      <DisplayName>Check Player Tag Web Hook Azure Function</DisplayName>
+      <DisplayName>Check loyaltyId Azure Function web hook</DisplayName>
       <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
       <Metadata>
         <Item Key="ServiceUrl">https://your-account.azurewebsites.net/api/ValidateProfile?code=your-code</Item>
@@ -138,7 +126,7 @@ A [Restful technical profile](restful-technical-profile.md) provides support for
 
 In this example, the `userLanguage` will be sent to the REST service as `lang` within the JSON payload. The value of the `userLanguage` claim contains the current user language ID. For more information, see [claim resolver](claim-resolver-overview.md).
 
-The comments above `AuthenticationType` and `AllowInsecureAuthInProduction` specify changes you should make when you move to a production environment. To learn how to secure your RESTful APIs for production, see [Secure RESTful APIs with basic auth](secure-rest-api-dotnet-basic-auth.md) and [Secure RESTful APIs with certificate auth](secure-rest-api-dotnet-certificate-auth.md).
+The comments above `AuthenticationType` and `AllowInsecureAuthInProduction` specify changes you should make when you move to a production environment. To learn how to secure your RESTful APIs for production, see [Secure RESTful API](secure-rest-api.md).
 
 ## Validate the user input
 
@@ -253,7 +241,7 @@ To return the promo code claim back to the relying party application, add an out
   "iat": 1584292103,
   "auth_time": 1584292103,
   "name": "Emily Smith",
-  "email": "joe@outlook.com",
+  "email": "emily@outlook.com",
   "given_name": "Emily",
   "family_name": "Smith",
   "promoCode": "84362"
@@ -263,10 +251,8 @@ To return the promo code claim back to the relying party application, add an out
 
 ## Next steps
 
-
 To learn how to secure your APIs, see the following articles:
 
 - [Walkthrough: Integrate REST API claims exchanges in your Azure AD B2C user journey as an orchestration step](custom-policy-rest-api-claims-exchange.md)
-- [Secure your RESTful API with basic authentication (username and password)](secure-rest-api-dotnet-basic-auth.md)
-- [Secure your RESTful API with client certificates](secure-rest-api-dotnet-certificate-auth.md)
+- [Secure your RESTful API](secure-rest-api.md)
 - [Reference: RESTful technical profile](restful-technical-profile.md)
@@ -0,0 +1,182 @@
+---
+title: REST API claims exchanges in B2C custom policy
+titleSuffix: Azure AD B2C
+description: An introduction to creating an Azure AD B2C user journey that interacts with RESTful services.
+services: active-directory-b2c
+author: msmimart
+manager: celestedg
+
+ms.service: active-directory
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 03/23/2020
+ms.author: mimart
+ms.subservice: B2C
+---
+
+# Integrate REST API claims exchanges in your Azure AD B2C custom policy
+
+[!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
+
+The Identity Experience Framework, which underlies Azure Active Directory B2C (Azure AD B2C), can integrate with RESTful APIs within a user journey. This article shows how to create a user journey that interacts with a RESTful service using a [RESTful technical profile](https://identitydivision.visualstudio.com/defaultcollection/Identity%20CXP/_git/GTP?path=%2Fyoelh%2Fdocs%2Frest-api%2Frestful-technical-profile.md&version=GBmaster).
+
+Using Azure AD B2C, you can add your own business logic to a user journey by calling your own RESTful service. The Identity Experience Framework can send and receive data from your RESTful service to exchange claims. For example, you can:
+
+- **Validate user input data**. For example, you can verify that the email address provided by the user exists in your customer's database, and if not, present an error.
+- **Process claims**. If a user enters their first name in all lowercase or all uppercase letters, your REST API can format the name with only the first letter capitalized and return it to Azure AD B2C.
+- **Enrich user data by further integrating with corporate line-of-business applications**. Your RESTful service can receive the user's email address, query the customer's database, and return the user's loyalty number to Azure AD B2C. Then return claims can be stored in the user's Azure AD account, evaluated in the next orchestration steps, or included in the access token.
+- **Run custom business logic**. You can send push notifications, update corporate databases, run a user migration process, manage permissions, audit databases, and perform any other workflows.
+
+![Diagram of a RESTful service claims exchange](media/custom-policy-rest-api-intro/restful-service-claims-exchange.png)
+
+## Calling a RESTful service
+
+The interaction includes a claims exchange of information between the REST API claims and Azure AD B2C. You can design the integration with the RESTful services in the following ways:
+
+- **Validation technical profile**. The call to the RESTful service happens within a [validation technical profile](validation-technical-profile.md) of the specified [self-asserted technical profile](self-asserted-technical-profile.md), or a [verification display control](display-control-verification.md) of a [display control](display-controls.md). The validation technical profile validates the user-provided data before the user journey moves forward. With the validation technical profile, you can:
+
+  - Send claims to your REST API.
+  - Validate claims, and throw custom error messages that are displayed to the user.
+  - Send back claims from the REST API to subsequent orchestration steps.
+
+- **Claims exchange**. A direct claims exchange can be configured by calling a REST API technical profile directly from an orchestration step of a [user journey](userjourneys.md). This definition is limited to:
+
+  - Send claims to your REST API.
+  - Validate claims, and throw custom error messages that are returned to the application.
+  - Send back claims from the REST API to subsequent orchestration steps.
+
+You can add a REST API call at any step in the user journey defined by a custom policy. For example, you can call a REST API:
+
+- During sign-in, just before Azure AD B2C validates the credentials.
+- Immediately after sign-in.
+- Before Azure AD B2C creates a new account in the directory.
+- After Azure AD B2C creates a new account in the directory.
+- Before Azure AD B2C issues an access token.
+
+![Validation technical profile collection](media/custom-policy-rest-api-intro/validation-technical-profile.png)
+
+## Sending data
+
+In the [RESTful technical profile](restful-technical-profile.md), the `InputClaims` element contains a list of claims to send to your RESTful service. You can map the name of your claim to the name defined in the RESTful service, set a default value, and use [claims resolvers](claim-resolver-overview.md).
+
+You can configure how the input claims are sent to the RESTful claims provider by using the SendClaimsIn attribute. The possible values are:
+
+- **Body**, sent in the HTTP POST request body in JSON format.
+- **Form**, sent in the HTTP POST request body in an ampersand '&' separated key value format.
+- **Header**, sent in the HTTP GET request header.
+- **QueryString**, sent in the HTTP GET request query string.
+
+When the **Body** option is configured, the REST API technical profile allows you to send a complex JSON payload to an endpoint. For more information, see [Send a JSON payload](restful-technical-profile.md#send-a-json-payload).
+
+## Receiving data
+
+The `OutputClaims` element of the [RESTful technical profile](restful-technical-profile.md) contains a list of claims returned by the REST API. You may need to map the name of the claim defined in your policy to the name defined in the REST API. You can also include claims that aren't returned by the REST API identity provider, as long as you set the DefaultValue attribute.
+
+The output claims parsed by the RESTful claims provider always expect to parse a flat JSON Body response, such as:
+
+```json
+{
+  "name": "Emily Smith",
+  "email": "[email protected]",
+  "loyaltyNumber":  1234
+}
+```
+
+The output claims should look like the following:
+
+```xml
+<OutputClaims>
+  <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
+  <OutputClaim ClaimTypeReferenceId="email" />
+  <OutputClaim ClaimTypeReferenceId="loyaltyNumber" />
+</OutputClaims>
+```
+
+To parse a nested JSON Body response, set the ResolveJsonPathsInJsonTokens metadata to true. In the output claim, set the PartnerClaimType to the JSON path element you want to output.
+
+```json
+"contacts": [
+  {
+    "id": "MAINCONTACT_1",
+    "person": {
+      "name": "Emily Smith",
+      "loyaltyNumber":  1234,
+      "emails": [
+        {
+          "id": "EMAIL_1",
+          "type": "WORK",
+          "email": "[email protected]"
+        }
+      ]
+    }
+  }
+],
+```
+
+
+The output claims should look like following:
+
+```xml
+<OutputClaims>
+  <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="contacts.0.person.name" />
+  <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="contacts.0.person.emails.0.email" />
+  <OutputClaim ClaimTypeReferenceId="loyaltyNumber" PartnerClaimType="contacts.0.person.loyaltyNumber" />
+</OutputClaims>
+```
+
+## Security considerations
+
+You must protect your REST API endpoint so that only authenticated clients can communicate with it. The REST API must use an HTTPS endpoint. Set the AuthenticationType metadata to one of the following authentication methods:
+
+- **Client certificate** restricts access by using client certificate authentication. Only services that have the appropriate certificates can access your API. You store the client certificate in an Azure AD B2C Policy Key. Learn more about how to [secure your RESTful service by using client certificates](secure-rest-api.md#https-client-certificate-authentication).
+- **Basic** secures the REST API with HTTP basic authentication. Only verified users, including Azure AD B2C, can access your API. The username and password are stored in Azure AD B2C policy keys. Learn how to [secure your RESTful services by using HTTP basic authentication](secure-rest-api.md#http-basic-authentication).
+- **Bearer** restricts access using a client OAuth2 access token. The access token is stored in an Azure AD B2C policy key. Learn more about how to [secure your RESTful service by using Bearer token](secure-rest-api.md#oauth2-bearer-authentication).
+
+## REST API platform
+Your REST API can be based on any platform and written in any programing language, as long as it's secure and can send and receive claims as specified in [RESTful technical profile](restful-technical-profile.md).
+
+## Localize the REST API
+In a RESTful technical profile, you may want to send the current session's language/locale, and if necessary, raise a localized error message. Using the [claims resolver](claim-resolver-overview.md), you can send a contextual claim, such as the user language. The following example shows a RESTful technical profile demonstrating this scenario.
+
+```XML
+<TechnicalProfile Id="REST-ValidateUserData">
+  <DisplayName>Validate user input data</DisplayName>
+  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
+  <Metadata>
+    <Item Key="ServiceUrl">https://your-app.azurewebsites.net/api/identity</Item>
+    <Item Key="AuthenticationType">None</Item>
+    <Item Key="SendClaimsIn">Body</Item>
+    <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
+  </Metadata>
+  <InputClaims>
+    <InputClaim ClaimTypeReferenceId="userLanguage" DefaultValue="{Culture:LCID}" AlwaysUseDefaultValue="true" />
+    <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="emailAddress" />
+  </InputClaims>
+  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
+</TechnicalProfile>
+```
+
+## Handling error messages
+
+Your REST API may need to return an error message, such as "The user was not found in the CRM system." If an error occurs, the REST API should return an HTTP 409 error message (Conflict response status code). For more information, see the [RESTful technical profile](https://identitydivision.visualstudio.com/defaultcollection/Identity%20CXP/_git/GTP?path=%2Fyoelh%2Fdocs%2Frest-api%2Frestful-technical-profile.md&version=GBmaster&anchor=returning-error-message).
+
+This can only be achieved by calling a REST API technical profile from a validation technical profile. This allows the user to correct the data on the page and run the validation again upon page submission.
+
+An HTTP 409 response is required to prevent the processing of any subsequent validation technical profiles within this orchestration step.
+
+If you reference a REST API technical profile directly from a user journey, the user is redirected back to the relying party application with the relevant error message.
+
+## Publishing your REST API
+
+The request to your REST API service comes from Azure AD B2C servers. The REST API service must be published to a publicly accessible HTTPS endpoint. The REST API calls will arrive from an Azure data center IP address.
+
+Design your REST API service and its underlying components (such as the database and file system) to be highly available.
+
+## Next steps
+
+See the following articles for examples of using a RESTful technical profile:
+
+- [Walkthrough: Integrate REST API claims exchanges in your Azure AD B2C user journey as validation of user input](custom-policy-rest-api-claims-validation.md)
+- [Walkthrough: Add REST API claims exchanges to custom policies in Azure Active Directory B2C](custom-policy-rest-api-claims-validation.md)
+- [Secure your REST API services](secure-rest-api.md)
+- [Reference: RESTful technical profile](restful-technical-profile.md)