The B2C Identity Experience Framework (IEF) enables a wide variety of experiences and functionalities by offering developers a high degree of policy, journey, and token response customization.
To ensure compatibility with the MSAL client libraries, a core set of response tokens and claims conforming to the OAuth 2.0 and OpenID Connect specifications must be returned by your application's policies.
The following artifacts must be included in the response from your policy's /token endpoint:
| Artifact | Expected Format | Description |
|---|---|---|
access_token |
String (JWT) | The requested access token. The app can use this token to authenticate to the secured resource, such as a web API. |
token_type |
String | Indicates the token type such a 'Bearer'. |
expires_in |
Numeric | How long the access token is valid (in seconds). |
scope |
String | The scopes for which the access token is valid. |
refresh_token |
String | An OAuth 2.0 refresh token. The app can use this token to acquire additional access tokens after the current access token expires. Refresh tokens are long-lived and can be used to retain access to resources for extended periods of time. offline_access must be requested to obtain this token.Please Note: Single Page Applications (SPAs) should not request offline_access as these apps will be issued a refresh token with a 24H validity period by default. |
id_token |
String (JWT) | The app can decode this token to discover information about the signed-in user. The app may cache this token and use its contents for display purposes. |
client_info |
String (base64 encoded JSON) | Automatically provided by B2C IdP. Metadata about the user and their tenant. |
The following ID token token claims are required when using MSAL:
| Claim | Expected Format | Description |
|---|---|---|
| One or more of: - sub- oid |
String | A locally unique identifier within the issuer for the end-user. |
| One or more of: - preferred_username- email- emails (Applies to MSAL-JS only)- upn |
String | If no value is returned, MSAL client libraries will use a default value: MISSING_FROM_THE_TOKEN_RESPONSE |
The OpenID Connect Framework (OIDC) defines a set of standard claims. To ensure broad compatibility across OAuth 2.0 & OIDC libraries with your application's configured IEF policies, it is recommended that developers include the standard claim set (where possible).
| Claim | Expected Format | Description |
|---|---|---|
sub |
String | Subject - Identifier for the End-User at the Issuer. |
name |
String | End-User's full name in displayable form. |
given_name |
String | Given (first) name(s) of the End-User. |
family_name |
String | Surname(s) (last) of the End-User. |
middle_name |
String | Middle name(s) of the End-User. |
nickname |
String | Casual name of the End-User |
preferred_username |
String | Shorthand name by which the End-User wishes to be known at the RP. |
profile |
String | URL of the End-User's profile page. |
picture |
String | URL of the End-User's profile image; MUST refer to an image file such as PNG, JPG, or GIF. |
website |
String | URL of End-User's web page. |
email |
String | End-User's preferred email address. |
email_verified |
Boolean | True if verified. The process for verification is unspecified. |
gender |
String | End-User's gender. Values defined by the specification are female and male; other values may be used when neither defined value is applicable. |
birthdate |
String | ISO 8601:2004 representation of the End-User's birthdate. May be 0000 to indicate omission. |
zoneinfo |
String | String representing the End-User's timezone. |
locale |
String | End-User's locale, represented as a BCP47 language tag. |
phone_number |
String | End-User's preferred telephone number. Suggested format is E.164. |
phone_number_verified |
Boolean | True if verified. The process for verification is unspecified. |
address |
JSON Object | End-User's preferred postal address. Format is RFC-4627 conformant. |
updated_at |
Numeric | Time the End-User's information was last updated. |