Azure AD B2C extract array claim from id_token_hint

Question

I have setup a SignUp with email invitation flow as described here

The id_token_hint looks like this:

{
    "alg": "RS256",
    "kid": "00BFDFB35FF5994E543B5D8CE74B37FC5E702294",
    "x5t": "AL_fs1_1mU5UO12M50s3_F5wIpQ",
    "typ": "JWT"
  }.{
    "name": "Name",
    "email": "[email protected]",
    "roles": [
      "role1",
      "role2",
      "role3"
    ],
    "nbf": 1651067986,
    "exp": 1651068286,
    "iss": "xx",
    "aud": "xx"
  }.[Signature]

and I try to extract the roles to a stringCollection Claim, so that I can use it later. The claim is defined like this:

      <ClaimType Id="InvitationRoles">
        <DisplayName>Invitation Roles</DisplayName>
        <DataType>stringCollection</DataType>
        <UserHelpText>Invitation Roles</UserHelpText>
      </ClaimType>

I added the following to the IdTokenHint_ExtractClaims ClaimsProvider TechnicalProfile:

<OutputClaim ClaimTypeReferenceId="InvitationRoles" PartnerClaimType="roles"/>

and this to the RelyingParty TechnicalProfile PolicyProfile:

<InputClaim ClaimTypeReferenceId="InvitationRoles" PartnerClaimType="roles" />

But I only get the first value of the array shown in the Application Insights Debug Logging:

Claims
InvitationRoles: [role1]
ReadOnlyEmail: [email protected]
email: [email protected]

Do I miss something or is this not supported?

Answer 1

Please check if given references can narrow down the issue.

Please check if this > Default value for stringCollection in Azure AD B2C custom policy - Microsoft Q&A can give idea to work around

1. Define the claims schema.
2. Add the claims transformation rule.
3. To the required Technical Profile, add the string claim as the output claim and the claims transformation rule to transform it to a stringCollection claim.
4. Finally add the claim as output claim

• You can extract claims from id_token_hint using the instructions and sample mentioned here - AAD-b2c-id-token-hint

Note: But in some cases The token's retrieved from B2C do not contain all the information about the user and its claim or attributes. You may need to use the Graph API to query the user for its information .

You may check this c# - Azure B2C How to retrieve Built-In User Claims/Attributes - Stack Overflow On how to get array of them programmatically.

The output you have looks like extractedItem from getsingleitemfromstringcollection claim stransformation where string ClaimTypes that are produced after this ClaimsTransformation gets the first item in the collection.

Please check if you can make use of AddItemToStringCollection to add to other roles and then output the extracted item: example-of-additemtostringcollection

References:

1. azure ad b2c - How to extract multiple values from id_token_hint into specific claims? - Stack Overflow
2. azure ad b2c - id_token_hint parameter does not contain an accepted issuer - Stack Overflow