Does Azure AD B2C support "roles" claim in JWT tokens for authorization?

Question

I'm exploring Azure AD B2C in a learning environment, and I'm currently exploring a requirement related to the inclusion of a "roles" claim in JWT tokens for the purpose of authorization. My objective is to understand how to assign varying access levels and permissions based on user roles within a sample application.

Expected results:

I expect Azure AD B2C to provide native support for the "roles" claim in JWT tokens, allowing me to easily manage and validate user roles during authorization.

Actual results:

However, my research on this topic has not yielded clear information about whether Azure AD B2C supports the "roles" claim. The official Microsoft documentation does not provide recent information specifically addressing this aspect.

What I've tried:

I have thoroughly searched through various resources, including SO, Microsoft documentation, and developer forums, to find any updates or insights on this matter. However, I couldn't find concrete information that definitively states whether Azure AD B2C supports the "roles" claim in JWT tokens or offers any recommended approach to handle user roles.

Why it didn't meet my needs:

The lack of specific information has made it challenging for me to implement role-based authorization using Azure AD B2C. Without clarity on whether Azure AD B2C supports "roles" claim, I am unsure about the best approach to achieve my desired functionality.

Does Azure AD B2C support the "roles" claim in JWT tokens or is there are alternative approaches or workarounds to achieve role-based authorization within Azure AD B2C?

Answer 1

Assuming I understood your question correctly, the short answer is: No, as of today Azure Active Directory B2C does not support roles within the 'role' claim for custom applications. At least the official documentation for Azure AD B2C does not describe this feature. For more information, see this post.

However, depending on your use case, you could use the regular Azure Active Directory. The regular version allows you to create custom roles within your application, which are sent in the 'roles' claim of the access token. Unfortunately, this will only allow your users to sign in via one of their Microsoft accounts (work, school or personal). See the documentation for this. Hence, it does not provide e.g. Social Logins via other providers like Azure AD B2C does.

See this article for adding roles to your Azure AD application, in case using Azure AD is an option for you.

Answer 2

It's not that B2C doesn't support the roles claim, but it doesn't support managing roles within the B2C tenant (sort of).

You could always have an external store of roles, or roles assigned within B2C's AAD directory, and then use an API/Graph API to retrieve those roles and populate a roles claim as part of your B2C journey. However, you're going to need to implement and host that API outside of B2C.

If you're using custom policies and local accounts (i.e. email & password stored in the B2C directory) there's another approach you can take, but it's not documented and not officially supported.

The way local accounts work in custom policies is that B2C makes an ROPC call to the underlying AAD, requesting a token for the IdentityExperienceFramework application. That ROPC call can return roles, and those roles can be mapped to a roles claim in B2C and returned back to the relying party as part of the user's id_token and access_token.

To achieve that you need to update the IdentityExperienceFramework application's manifest to expose user roles (these will be the roles that get assigned to individual users). You then need to assign users to that application, giving them one of the roles. Finally, you need to add the roles claim as an output claim to the ROPC call, to the self-asserted page making the ROPC call, and to the relying party definition.

Answer 3

Assuming I understood your question correctly, AD B2C doesnot support the "role" or "access-privilege" claims.

However there is a way to achieve this using Custom Attribute and API Connector. In this case you need to maintain your role access control outside B2C and you add that as a claim while login using B2C.

For example, you have a Database table with all role and access credentials. You create a REST API that can fetch that data. Add that API to B2C Sign In User Flow using API Connector. You claim will get added to the Sign Token.

Answer 4

Because this feature does not support in Azure B2C offficially, The workaround is you have to build a custom api that manage roles for each accounts B2C. In the Azure document, you can use the API connectors to call to the custom api to get account's role and return it in claim information of token, Azure call it is enrich tokens with claims.