Azure-docs: Can a B2C Access Token include app roles assigned to the user?

Hi @ahmadizm I'm sorry to hear that you are facing this issue. For some reason the issue is not linked to a document or tutorial.
Could you please share the the URL of the documentation you were following? That way, we can pass your feedback to the appropriate content author.

We try to reserve this issues for documentation feedback. If you do not have feedback for a tutorial or document. Would you please open a question on StackOverflow or MSDN forums? There unlike here we have a developer community + engineering team that can help you.

Thank you @Alberto-Vega-MSFT for following up. I was reading https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-tokens.
In contrast, the active directory tokens explained at https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens do have a roles claim and I can get them using AD authentication. However, the B2C version does not seem to have that, and I was wondering if there is way to include those.

@ahmadizm Access token requested in application context (Application Token) include Roles claim and the token requested in user's context (User Token) includes SCP claim for the permissions exposed by your application.

The only case when you see Roles claim in User token is when the app role/roles are defined for the application in the App Manifest and the authenticating user is assigned with that role.
Since B2C application's app manifest is not exposed for editing, you will not get Roles claim in the token issued by B2C directory.

Hope this answers your query.

Thank you for your response.
In B2C you can edit the app manifest:


And you can have roles defined:

You can also assign those roles to users (admittedly, not through B2C portal), and B2C is able to see those apps and roles:

So given that B2C is able to see those apps and roles, I am wondering if I can find a way to see those roles in the token.

@ahmadizm Thanks for sharing the screenshots. I didn't notice that Application (Preview) is already added to the B2C blade.

I did the testing by making a token request at both oauth2 v1 and v2 endpoints after adding the app roles in the Manifest and confirmed that the Roles claim is not returned in case of B2C. I have shared the calls below with required parameters that I made to request for a token.

Having said that, I couldn't think of a scenario why you want to pass the roles claim for a consumer account using App roles defined in the app manifest. As B2C is used for consumer identities where they sign-up to create the accounts, it would not be feasible for the Administrator to add their accounts to the app assigning the roles to their identities. For this purpose we suggest to use custom claims in B2C where the consumer selects required role during the signup process which is returned in the token as well. Please refer to https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom for more details.

In case, if you are not dealing with consumer identities, I would suggest you to go with standard Azure AD rather than Azure AD B2C.

Hope I have covered all aspects of your question. Feel free to tag me in your reply if you have any further questions.

OAuth v1 endpoint:

POST https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/token?p=b2c_1A_signup_signin
grant_type:authorization_code
client_id:2c9296bb-xxxx-xxxx-xxxx-30d38790dea1
resource:2c9296bb-xxxx-xxxx-xxxx-30d38790dea1
code:eyJraWQiOiI1M...
redirect_uri:https://b2c.amansi.msftonlinerepro.com
scope:openid

OAuth v2 endpoint:

POST https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1A_signup_signin
grant_type:authorization_code
client_id:2c9296bb-xxxx-xxxx-xxxx-30d38790dea1
code:eyJraWQiOiI1...
redirect_uri:https://b2c.amansi.msftonlinerepro.com
client_secret:OWxxxxxxxxxxxxco6UCf
scope:https://amsin.onmicrosoft.com/api/read

@amanmcse, this is great information, thank you. I kind of came to the same conclusion that B2C may not be the right place to assign and retrieve application roles. Now that I have your confirmation, I will resort to regular AD for special app roles that employees should have. Thanks again.

I feel there may be a use case where it'd be best to have appRoles even with B2C.

What if I had an SPA+API architecture where both the SPA and API were using RBAC?

If it was a customer, then they can read products.
But an administrator can create, read, update and delete products.

Both these actions can be performed from the same SPA, depending on who is logging in, and the 'roles' claim they have. Admins would need to federate through Azure AD anyway.

This model would eliminate the need to develop multiple apps, one for the management, one for the customer, and one for the delivery guys.

Also, imagine another scenario, where I'm a college, and would like to allow the students to see their marks online, but instead of making them remember another password, the students and teachers can log in through their social accounts, as well as leave the option of using their roll no. or employee id. There are 2 distinct roles here. One to publish the marks, one to read them.

Using custom claims to get roles is the best way to achieve this right now. But I feel getting the appRoles along with the token would be a true in-built solution.

Also, ideally, users should never be able to change their roles. That's something that the custom policy will either set by default during the sign-up process, for example "Customer" role. And if it's a special user, then the admin will be using the graph API to create the user anyway, for example, "DeliveryBoy" role. This role won't even have a signUp policy, or alternatively, the role will be set by the management, after the application has been approved. Another alternative is that the delivery boy will be required to federate through Azure AD.

Either way, I feel appRoles are very useful even in B2C scenarios and not just within the organisation.

both the SPA and API were using RBAC?

I have this exact requirement.

_For this purpose we suggest to use custom claims in B2C where the consumer selects required role during the signup process which is returned in the token as well._

Really?? The consumers should be able to select the role "admin"???
We have a scenario, where we have internal application administrators, and external consumers using the application. Additionally we have on consumer side "special" site admins, that need to be created by us. They have the privilege to add additional users for their site