In our system we’ve added Azure AD Identity Provider to a canned SignInUp user flow and it is working. Now we want to use the Home Realm Discovery custom policy but it is working very differently. (HRD: https://github.com/azure-ad-b2c/samples/blob/master/policies/default-home-realm-discovery/readme.md)
With canned user flows, the Azure AD requires users to signup and a “shadow” user record is created in B2C and that user’s B2C objectId is returned in the claims. The custom policy flow apparently does not require sign-UP for internal users, instead it’s returning the AD objectId instead of the B2C objectId.
Or is that “shadow user” required? My custom policy is working for authentication in my SPA app but calls to our api are not working. It is returning 401 Access Denied “invalid token” which I confirmed it is not blank. Is that the AD token instead of the B2C token?
I’ve downloaded the canned user flow xml to see how it is dealing with this but it just references a Subjourney that accesses a ClaimProvider associated with the IdentityProvider for AD. Those details are not available in the xml.
Lastly, after reading further, that this may be a token encryption issue. Since we’re using this for Single Sign-On, if I roll out my custom policy, every user flow we use from now on needs to be in a custom policy so the encryption matches? All old apps using canned policies all need to be retrofitted?
In terms of custom policies, yes, every external IDP auth results in the creation of a shadow account.
If you look at the policy, it does a readbyalternativeid, which reads the shadow account and returns the objectID, which is the ID of the B2C user.
Not sure about encryption?
B2C does not handle encrypted JWT and throws an exception when it tries to parse it.
4