Claime resolver doesn't seem to work in relying party as advertised
cotepatrice opened this issue · comments
I've read the documentation about claim resolvers. It is quite clear that for a relying party technical profile, we should only add an output claim "tenantId" with its default value set to "{Policy:TenantObjectId}" and AlwaysUseDefaultValue="true". That's what's in your starter pack. Her's my custom policy relying party :
<RelyingParty>
<DefaultUserJourney ReferenceId="SignInUsernameOrEmail" />
<UserJourneyBehaviors>
<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="{Settings:ApplicationInsightInstrumentationKey}" DeveloperMode="{Settings:DeveloperMode}" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="extension_ClientID" />
<OutputClaim ClaimTypeReferenceId="groups" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
But unfortunately, here's what my access token get:
"tid": "{Policy:TenantObjectId}",
So it seems the claim resolver doesn't work in relying parties (it works in a self asserted technical profile for the same policy) . Or did I forget something here? Both the doc and your samples specifies there is no need for the Metadata item "IncludeClaimResolvingInClaimsHandling" here.