Created
December 1, 2023 02:23
-
-
Save rbrayb/63028d6720fc9b1473ac70774a376a92 to your computer and use it in GitHub Desktop.
Using the client credentials flow inside of Azure AD B2C
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="tenant.onmicrosoft.com" PolicyId="B2C_1A_ClientCred_API" PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_ClientCred_API" DeploymentMode="Development" UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"> | |
<BasePolicy> | |
<TenantId>tenant.onmicrosoft.com</TenantId> | |
<PolicyId>B2C_1A_TRUSTFRAMEWORKEXTENSIONSMFA</PolicyId> | |
</BasePolicy> | |
<BuildingBlocks> | |
<ClaimsSchema> | |
<ClaimType Id="access_token"> | |
<DisplayName>access_token</DisplayName> | |
<DataType>string</DataType> | |
</ClaimType> | |
</ClaimsSchema> | |
</BuildingBlocks> | |
<ClaimsProviders> | |
<ClaimsProvider> | |
<DisplayName>Client credentials</DisplayName> | |
<TechnicalProfiles> | |
<TechnicalProfile Id="REST-ClientCred"> | |
<DisplayName>OTP API</DisplayName> | |
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
<Metadata> | |
<Item Key="ServiceUrl">https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_ClientCred/oauth2/v2.0/token?grant_type=client_credentials&scope=https://tenant.onmicrosoft.com/api/.default&client_id=8d2...869&client_secret=Wqq...crk | |
</Item> | |
<Item Key="SendClaimsIn">Body</Item> | |
<Item Key="AuthenticationType">None</Item> | |
<Item Key="AllowInsecureAuthInProduction">true</Item> | |
<Item Key="DefaultUserMessageIfRequestFailed">Cannot process your request right now, please try again later.</Item> | |
</Metadata> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="access_token"/> | |
</OutputClaims> | |
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/> | |
</TechnicalProfile> | |
<TechnicalProfile Id="REST-CallAPI"> | |
<DisplayName>Call API with bearer token</DisplayName> | |
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
<Metadata> | |
<Item Key="ServiceUrl">https://....proxy.beeceptor.com/...cred</Item> | |
<Item Key="SendClaimsIn">Body</Item> | |
<Item Key="AuthenticationType">Bearer</Item> | |
<Item Key="UseClaimAsBearerToken">access_token</Item> | |
<Item Key="AllowInsecureAuthInProduction">true</Item> | |
</Metadata> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="access_token"/> | |
</InputClaims> | |
</TechnicalProfile> | |
</TechnicalProfiles> | |
</ClaimsProvider> | |
</ClaimsProviders> | |
<UserJourneys> | |
<UserJourney Id="ClientCredentials-REST-API"> | |
<OrchestrationSteps> | |
<OrchestrationStep Order="1" Type="ClaimsExchange"> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="ClientCred" TechnicalProfileReferenceId="REST-ClientCred"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<OrchestrationStep Order="2" Type="ClaimsExchange"> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="CallAPI" TechnicalProfileReferenceId="REST-CallAPI"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
</OrchestrationSteps> | |
</UserJourney> | |
</UserJourneys> | |
<RelyingParty> | |
<DefaultUserJourney ReferenceId="ClientCredentials-REST-API"/> | |
<UserJourneyBehaviors> | |
<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="410...5d0" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0"/> | |
</UserJourneyBehaviors> | |
<TechnicalProfile Id="PolicyProfile"> | |
<DisplayName>PolicyProfile</DisplayName> | |
<Protocol Name="OpenIdConnect"/> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" AlwaysUseDefaultValue="true" DefaultValue="123456"/> | |
<OutputClaim ClaimTypeReferenceId="access_token" DefaultValue="No Value"/> | |
</OutputClaims> | |
<SubjectNamingInfo ClaimType="sub"/> | |
</TechnicalProfile> | |
</RelyingParty> | |
</TrustFrameworkPolicy> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="tenant.onmicrosoft.com" PolicyId="B2C_1A_ClientCred" PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_ClientCred"> | |
<BasePolicy> | |
<TenantId>tenant.onmicrosoft.com</TenantId> | |
<PolicyId>B2C_1A_TRUSTFRAMEWORKEXTENSIONSMFA</PolicyId> | |
</BasePolicy> | |
<!-- Derived from https://github.com/azure-ad-b2c/samples/tree/master/policies/client_credentials_flow --> | |
<BuildingBlocks> | |
<ClaimsSchema> | |
<ClaimType Id="access_token"> | |
<DisplayName>access_token</DisplayName> | |
<DataType>string</DataType> | |
</ClaimType> | |
</ClaimsSchema> | |
</BuildingBlocks> | |
<ClaimsProviders> | |
<ClaimsProvider> | |
<DisplayName>Token Issuer</DisplayName> | |
<TechnicalProfiles> | |
<TechnicalProfile Id="JwtIssuer"> | |
<Metadata> | |
<Item Key="ClientCredentialsUserJourneyId">ClientCredentialsJourney</Item> | |
</Metadata> | |
</TechnicalProfile> | |
</TechnicalProfiles> | |
</ClaimsProvider> | |
<ClaimsProvider> | |
<DisplayName>Client credential technical profiles</DisplayName> | |
<TechnicalProfiles> | |
<TechnicalProfile Id="ClientCredentials_Setup"> | |
<DisplayName>Trustframework Policy Client Credentials Setup Technical Profile</DisplayName> | |
<Protocol Name="None"/> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="access_token" DefaultValue="OAuth 2.0 Client Credentials" AlwaysUseDefaultValue="true"/> | |
</OutputClaims> | |
</TechnicalProfile> | |
</TechnicalProfiles> | |
</ClaimsProvider> | |
</ClaimsProviders> | |
<UserJourneys> | |
<UserJourney Id="ClientCredentialsJourney"> | |
<OrchestrationSteps> | |
<!-- [Required] Do the client credentials --> | |
<OrchestrationStep Order="1" Type="ClaimsExchange"> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="ClientCredSetupExchange" TechnicalProfileReferenceId="ClientCredentials_Setup"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<!-- [Required] Issue the access token --> | |
<OrchestrationStep Order="2" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
</OrchestrationSteps> | |
</UserJourney> | |
</UserJourneys> | |
<RelyingParty> | |
<DefaultUserJourney ReferenceId="SignUpOrSignIn"/> | |
<TechnicalProfile Id="PolicyProfile"> | |
<DisplayName>PolicyProfile</DisplayName> | |
<Protocol Name="OpenIdConnect"/> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> | |
<OutputClaim ClaimTypeReferenceId="access_token" DefaultValue="No Value"/> | |
</OutputClaims> | |
<SubjectNamingInfo ClaimType="sub"/> | |
</TechnicalProfile> | |
</RelyingParty> | |
</TrustFrameworkPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://medium.com/the-new-control-plane/using-the-client-credentials-flow-inside-of-azure-ad-b2c-12952e95d8cb