{"id":39958,"date":"2020-11-16T00:32:56","date_gmt":"2020-11-16T07:32:56","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/premier-developer\/?p=39958"},"modified":"2020-11-09T11:51:07","modified_gmt":"2020-11-09T18:51:07","slug":"claims-encryption-for-b2c-tokens","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/premier-developer\/claims-encryption-for-b2c-tokens\/","title":{"rendered":"Claims encryption for B2C tokens"},"content":{"rendered":"

Marius Rochon<\/a> shares a sample which Provides Azure B2C JWT token confidentiality by encrypting selected claims prior to token issuance and providing support for their decryption by confidential clients for which these tokens were intended.<\/p>\n

\n
<\/code><\/pre>\n
Claims Encryption<\/h2>\n
<\/code><\/pre>\n
<\/a>Purpose<\/h2>\n
<\/code><\/pre>\n
Provides Azure B2C JWT token confidentiality by encrypting selected claims prior to token issuance and providing support for their decryption by confidential clients for which these tokens were intended.<\/p>\n
<\/code><\/pre>\n
<\/a>Operation<\/h2>\n
<\/code><\/pre>\n
This system consists of two main components: a web application providing the encryption\/decryption operations and B2C policies calling the encryption operation.<\/p>\n
<\/code><\/pre>\n
<\/a>REST functions<\/h3>\n
<\/code><\/pre>\n
\/encrypt<\/strong>: encrypt all properties of a JSON object and return a JSON object with same properties with relevant values encrypted. This operation is used by B2C custom policies to encrypt selected claims. The input object must<\/strong>\u00a0include the\u00a0aud<\/em>\u00a0claim identifying the target application for the token. This is the application which may call the \/decrypt operation. \/encrypt does not use any authentication at this time.<\/p>\n
<\/code><\/pre>\n
Request<\/strong><\/p>\n
<\/code><\/pre>\n
POST \/encrypt\r\nContent-type: application\/json\r\nAccept: application\/json\r\n\r\n{\"aud\":\"<application id>\",\"property1\":\"value1\"}\r\n<\/code><\/pre>\n
<\/code><\/pre>\n
Response<\/strong><\/p>\n
<\/code><\/pre>\n
{\"aud\":\"<application id>\",\"property1\":\"CfDJ8OKS0TfF....27hGvaJ0kU3oTTl\"}\r\n<\/code><\/pre>\n
<\/code><\/pre>\n
\/decrypt<\/strong>: validates signature of the JWT token submitted in the body of the request and decrypts claims which can be validly decrypted. This operation must be called with an OAuth2 token allowing the caller to call this operation (roles<\/em>\u00a0claim\u00a0must<\/strong>\u00a0include\u00a0decrypt<\/em>\u00a0role). The caller’s application id (the\u00a0azp<\/em>\u00a0claim) must be same as the\u00a0aud<\/em>\u00a0claim of the token whose claims need to be decrypted.<\/p>\n
<\/code><\/pre>\n
Request<\/strong><\/p>\n
<\/code><\/pre>\n
POST \/decrypt\r\nContent-type: text\/plain\r\nAccept: application\/json\r\nAuthorization: Bearer eyJ0eXAiOiJKV1QiLC...(authorization to call this service, must include *scope=decrypt*)\r\n\r\neyJ0eXAiOiJKV1QiLC... (token with some encrypted claims)\r\n<\/code><\/pre>\n
<\/code><\/pre>\n
Response<\/strong><\/p>\n
<\/code><\/pre>\n
{\"aud\":\"<application id>\",\"property1\":\"value1\"}\r\n<\/code><\/pre>\n
<\/code><\/pre>\n
<\/a>B2C custom policy<\/h3>\n
<\/code><\/pre>\n
CryptoExtensions.xml<\/em>\u00a0modifies the standard, local account sign-up\/-in journey to encrypt user’s display name. The call to the encrypt operation looks as follows.\u00a0Note<\/strong>\u00a0the inclusion of the\u00a0aud<\/em>\u00a0claim in the request.<\/p>\n
<\/code><\/pre>\n
(B2C policies used in this sample use the\u00a0IEF upload tool<\/a>\u00a0to resolve tenant name, IEF app ids and symbolic parameters like\u00a0{RESTEncryptUrl}<\/em>\u00a0below).<\/p>\n
<\/code><\/pre>\n
<ClaimsProvider>\r\n  <DisplayName>REST APIs<\/DisplayName>\r\n  <TechnicalProfiles>\r\n    <TechnicalProfile Id=\"REST-Encrypt\">\r\n      <DisplayName>Encrypt selected claims<\/DisplayName>\r\n      <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" \/>\r\n      <Metadata>\r\n        <Item Key=\"ServiceUrl\">{RESTEncryptUrl}\/encrypt<\/Item>\r\n        <Item Key=\"SendClaimsIn\">Body<\/Item>\r\n        <!-- Set AuthenticationType to Basic or ClientCertificate in production environments -->\r\n        <Item Key=\"AuthenticationType\">None<\/Item>\r\n        <!-- REMOVE the following line in production environments -->\r\n        <Item Key=\"AllowInsecureAuthInProduction\">true<\/Item>\r\n      <\/Metadata>\r\n      <InputClaims>\r\n        <!-- aud MUST be sent as input claim -->\r\n        <InputClaim ClaimTypeReferenceId=\"aud\" DefaultValue=\"{OIDC:ClientId}\" AlwaysUseDefaultValue=\"true\" \/>          \r\n        <!-- Other claims to be encrypted -->\r\n        <InputClaim ClaimTypeReferenceId=\"displayName\" \/>\r\n      <\/InputClaims>\r\n      <OutputClaims>\r\n        <!-- Returned encrypted claims -->\r\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" \/>\r\n      <\/OutputClaims>\r\n      <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" \/>\r\n    <\/TechnicalProfile>\r\n  <\/TechnicalProfiles>\r\n<\/ClaimsProvider>\r\n<\/code><\/pre>\n
<\/code><\/pre>\n
You can run this policy using this\u00a0link<\/a>. The entered\u00a0Display Name<\/em> will show as encrypted in the displayed token.<\/p>\n
<\/code><\/pre>\n
<\/a>Deployment<\/h2>\n
<\/code><\/pre>\n
You can clone the provided code and deploy it into your own Azure subscription and B2C tenant.<\/p>\n
<\/code><\/pre>\n
I have published the REST functions as a multi-tenant AAD application so you should be able to consent it into your B2C tenant. enter the following request into a browser:<\/p>\n
<\/code><\/pre>\n
https:\/\/login.microsoftonline.com\/<your B2C tenant>.onmicrosoft.com\/oauth2\/v2.0\/authorize?client_id=a4938349-59ca-4238-b70d-1549ed19292d&response_type=code&response_mode=form_post&state=dummy&nonce=dummy&scope=openid\r\n<\/code><\/pre>\n
<\/code><\/pre>\n
Once you sign in and consent, you should see\u00a0TokenEncryption API<\/em>\u00a0in your Enterprise Apps.<\/p>\n
<\/code><\/pre>\n
You will then be able to register your own client applications (recipients of encrypted tokens), set their API Permission to access the\u00a0Token Encryption API<\/em>\u00a0with\u00a0decrypt<\/em>\u00a0application permission, and use client credentials to request a token to call the \/decrypt endpoint.<\/p>\n
<\/code><\/pre>\n
Check out the complete sample on GitHub.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Once you sign in and consent, you should see TokenEncryption API in your Enterprise Apps.  You will then be able to register your own client applications (recipients of encrypted tokens), set their API Permission to access the Token Encryption API with decrypt application permission, and use client credentials to request a token.<\/p>\n","protected":false},"author":582,"featured_media":38475,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[25],"tags":[69,1131,10602,213],"class_list":["post-39958","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-azure-ad","tag-b2c","tag-claims","tag-encryption"],"acf":[],"blog_post_summary":"
Once you sign in and consent, you should see TokenEncryption API in your Enterprise Apps.  You will then be able to register your own client applications (recipients of encrypted tokens), set their API Permission to access the Token Encryption API with decrypt application permission, and use client credentials to request a token.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/39958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/users\/582"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/comments?post=39958"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/39958\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media\/38475"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media?parent=39958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/categories?post=39958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/tags?post=39958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}