azure-ad-b2c / samples Goto Github PK

Windows should either be a documented requirement for the relevant samples (e.g. invite), or appropriate shell commands for Unix-like OSs should be provided as well.

e.g. for the invite sample, the code casts the certificates in a way that assumes Windows environments: https://stackoverflow.com/a/56979823

The provided commands for generating a certificate are also Windows-based, and the code assumes a Windows credential store.

I've noticed that the schema for B2C supports some things that aren't used in any of the samples. It looks like none of the examples use user journey's that contain sub-journeys or input validations instead of predicate validations. There are places where the docs and scenario examples seem to favor one thing over another and it would be good to document that so that people don't take dependencies on something that you plan to deprecate.

Hello,

I saw that there is one sample that ask for the current password and the new password, so they can check if the new and old (current) are the same. However, how can I block the user to enter his X old passwords, especially without asking for the "Current password"?

Thank you

Hello,

I'm using this example to write my own policy and everything is working fine.
In my custom policy I have French and English and was able to translate every message that is displayed to the user but this message "The verification has failed, please try again.", which is shown if the user enters an incorrect Verification Code (Id="emailVerificationControl_error_message")

I was able to translate the other messages, but I couldn't find out how to translate this specific message. I followed this documentation (Localization string IDs)[https://docs.microsoft.com/en-ca/azure/active-directory-b2c/localization-string-ids] but still wasn't able to figure out how do to that.

Can you help me?

Thank you

I just posted a question regarding this exception I'm getting in the code:

https://stackoverflow.com/q/56979368/114029

Can you shed some light?

I for the life of me cannot figure out where I have gone wrong here. I believe I have set everything up per the guidelines so far as appsettings.json and Custom Policies are concerned, however I still I get the following error when attempting token validation:

AADB2C90233 The provided id_token_hint parameter failed signature validation. Please provide another token and try again.

Any advice would be appreciated.

I want to issue invitations from an Azure function using the sendgrid binding and using B2C to generate the metadata endpoints.

How do I sign the id_token_hint within the function like the Azure app example?

I have tried the sample https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-email-verifcation for reset password without success.

The SelfAsserted.html available fails to load the javascript, but that's a secondary problem that needs a separate issue.

The main issue is that the flow is not complete for PasswordReset. Below I have put the steps that I am trying to achieve with this solution, and where the problem sits:

First step
User provides email and click to send verification code, it reaches the API and sends the custom email successfully.

Second step
User grabs the code and put it on the B2C page. That gets validated successfully.
As soon as I hit the button to continue I get this error on screen: Claim not verified: [Email Address]

Third step
Provide new password and confirm new password.
This could not be validated.

Fourth step
Success message, and redirect to Login.
This could not be validated.

From what I can see within the schema, only the SignUp has Call to REST API verification, but not the PasswordReset.

Please can I get some guidance on that?

This sample https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-sign-up-versioned-tou is missing a notice in its doc telling that it's necessary to configure b2c-extensions-app data in TrusFrameworkBase.xml as discussed here.

Hi, following the instructions at [https://github.com/azure-ad-b2c/samples/tree/master/policies/username-signup-or-signin], I get an error when uploading the Username_TrustFrameworkExtensions.xml

Validation failed: 1 validation error(s) found in policy "B2C_1A_USERNAME_TRUSTFRAMEWORKEXTENSIONS" of tenant "tenantname.onmicrosoft.com".Policy "B2C_1A_Username_TrustFrameworkExtensions" of tenant "tenantname.onmicrosoft.com" makes a reference to ClaimType with id "userId" but neither the policy nor any of its base policies contain such an element.

I have the following user journey

<UserJourney Id="ProfileEdit">
  <OrchestrationSteps>

    <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
      <ClaimsProviderSelections>
        <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange" />
        <ClaimsProviderSelection TargetClaimsExchangeId="GoogleExchange" />
        <ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninEmailExchange" />
      </ClaimsProviderSelections>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH" />
        <ClaimsExchange Id="GoogleExchange" TechnicalProfileReferenceId="Google-OAUTH" />
        <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
          <Value>authenticationSource</Value>
          <Value>localAccountAuthentication</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserRead" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="4" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
          <Value>authenticationSource</Value>
          <Value>socialIdpAuthentication</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>

    <OrchestrationStep Order="5" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="B2CUserProfileUpdateExchange" TechnicalProfileReferenceId="SelfAsserted-ProfileUpdate" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>

It works, but it first asks the user to authenticate then the user can edit their profile.

What I'm trying to do now is to remove the authentication step so the user goes directly to the edit profile form. I'm playing removing the firsts OrchestrationStep but it is not working. I've also checked all the examples in this repository but none is about editing the profile. So, I have a question:

Is it possible to remove the authentication step when editing the profile? If yes, can someone provide an example?

I've setup using the sample, however, when following the invitation link I get the error message "AADB2C90233: The provided id_token_hint parameter failed signature validation. Please provide another token and try again."

I'm using the solution issuer code and running the project locally.

The invitation policy user journey limits to 4 orchestration steps. When there is a 5th step the step before jwt issuer get skipped.

https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple

I have gone through this sample a dozen times and I cannot get sign in to apple to work....... I'm now wondering if it is no longer current ? Nothing appears to have changed for 12 months

I'm trying to implement the email invitation sample here:
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite

I am able to get to the custom sign-up page successfully and it validates the token through my endpoint. But once I have signed up and it redirects back to my application I get a "Correlation Failed" error message.

I don't actually need to send the user an email as we have a process for that already. So I have also tried doing a normal challenge and manually setting the id_token_hint in the OnRedirectToIdentityProvider event.

Again I am able to get the custom sign up page and sign up. However I then get this error when it redirects back to my application:

IDX10501: Signature validation failed. Unable to match keys: kid: '[PII is hidden]', token: '[PII is hidden]'

I would prefer to use the latter solution but any help getting either to work would be appreciated

The example is not complete.
The folder wwwroot is missing, the example is not working.
Please upload it.

Instead of passing the API key in the URL, like this:
$"https://api.authy.com/protected/json/users/new?api_key={AppSettings.Key}";

You should pass it in the header. See here:
https://github.com/AuthySE/Authy-API-Samples/blob/master/sendSMS.bat#L11
-H "X-Authy-API-Key: %AUTHY_API_KEY%"

These examples need updated. You dont even support the framework versions many of them are written for such as the invite flow being setup for dotnet core 2.2.

The related notes are also all out of date which make trying to follow these examples very difficult.

Following the instructions https://github.com/azure-ad-b2c/samples/tree/master/policies/password-reset-only I get an error uploading TrustFrameworkExtensions.xml
Validation failed: 1 validation error(s) found in policy "B2C_1A_TRUSTFRAMEWORKEXTENSIONS" of tenant "tenantname.onmicrosoft.com".User journey 'PasswordReset' does not contain a send claims step.

You need to use the SocialAndLocalAccountsWithMfa starter pack not the SocialAndLocalAccounts as per the Readme.

There is a missing:

ClaimsProviders
ClaimsProvider

in the xml.

When you run the sample, when it asks "Enter user name", you need to enter the phone number.

see: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35686603-unhandled-bad-request-when-login-page-is-left-open

This happens with the Standard "Sign in v2" flow. The issue on the feedback site has been open since October 10, 2018.

Hi,

I've tried implementing the custom email verification and it's all working up to the point where it tries to create the account. It tries to create the user object twice (see image below).

This obviously stops the user journey dead in its tracks. I should add I'm only using local accounts, no social integration.

Can anyone shed any light on why this is happening.

Cheers
Stokesy

I found a issue with home-realm-discovery-modern sample, SignIn_smart_HRD.xml file
After I edited it with my tenant and claims provider information and tried to upload it to IEF i Got the error "ParseDomainHint is expected to be a technical profile but it does not exist"

Hi,
The example is not working. Please fix it.

• missing TechnicalProfile Id="Facebook-OAUTH" on the TrustFrameworkBase.xml.
• error on the line OutputClaim ClaimTypeReferenceId="newUser" DefaultValue="true" on the TechnicalProfile Id="AAD-MergeAccount" on the the TrustFrameworkExtensions.xml

There is also not enough documentation of the steps and changes to be made in the files for the example to work. please document it further.

Thanks

Hello,
I followed this tutorial with Microsoft B2C documentation. In my policies I didn't use claims firstName (givenName) and lastName (surName). I only used displayName. After uploading this policy to my b2c tenant and running policy I've got empty html page.

I tried to troubleshoot sign up policy with application insights but no errors showed. Weird is that after adding at least one of these claims policy "renders" correctly.

I’m trying to implement Term of Service custom policy with with HRD Custom Policy using this template: (Custom Policy Attached)
https://github.com/azure-ad-b2c/samples/tree/master/policies/terms-of-service

It work fine for local B2c users, but when I try with to log with 3rd part users like Azure AD or ADFS I got the following error:
Acceptance ToS is shown to user, but when user accept and click continue he got an error message like he hadn’t accepted the ToS.

This “Customizable Error Message” is the error message when the users try to continue without marking the checkbox.
This behavior only happen for 3rd party users and not local users.
Below it's my user Journey code - I'm using custom policy with both Home Realm Discovery and Term of Services:

>  <UserJourneys>
>   <!-- User Jorney SignIn With HRD -->
>     <UserJourney Id="SignIn">
>       <OrchestrationSteps>
>         <OrchestrationStep Order="1" Type="ClaimsExchange">
>           <ClaimsExchanges>
>             <ClaimsExchange Id="SigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-Signin-Email" />
>           </ClaimsExchanges>
>         </OrchestrationStep>
>         <OrchestrationStep Order="2" Type="ClaimsExchange">
>           <ClaimsExchanges>
>             <ClaimsExchange Id="ParseDomainHintLogic" TechnicalProfileReferenceId="HRDLogic" />
>           </ClaimsExchanges>
>         </OrchestrationStep>
>         <!-- If the domain_hint did not match any known domain, then redirect to a default local account sign in-->
>         <OrchestrationStep Order="3" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
>           <Preconditions>
>             <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
>               <Value>isKnownCustomer</Value>
>               <Value>True</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>           </Preconditions>
>           <ClaimsProviderSelections>
>             <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
>             <!-- add password reset button to the user journey -->
>             <ClaimsProviderSelection TargetClaimsExchangeId="PasswordResetUsingEmailAddressExchange" />
>           </ClaimsProviderSelections>
>           <ClaimsExchanges>
>             <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
>           </ClaimsExchanges>
>         </OrchestrationStep>
>         <!-- dont run this step if the domain was known, or we have an objectid (local account sign in)-->
>         <OrchestrationStep Order="4" Type="ClaimsExchange">
>           <Preconditions>
>             <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
>               <Value>objectId</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>             <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
>               <Value>isKnownCustomer</Value>
>               <Value>True</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>           </Preconditions>
>           <ClaimsExchanges>
>             <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
>             <!-- call password reset technical profile to reset password -->
>             <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
>           </ClaimsExchanges>
>         </OrchestrationStep>
>         <!--Sample: Run this step only when user resets the password-->
>         <OrchestrationStep Order="5" Type="ClaimsExchange">
>           <!-- <Preconditions>
>             <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
>               <Value>isPasswordResetFlow</Value>
>               <Value>True</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>           </Preconditions> -->
>           <Preconditions>
>             <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
>               <Value>isPasswordResetFlow</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>           </Preconditions>          
>           <ClaimsExchanges>
>             <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
>           </ClaimsExchanges>
>         </OrchestrationStep>
>         <!-- If the domain matched any known domain, then this step will have a single IdP
>                     enabled due to each known IdP TP having an enablement flag via identityProviders claim -->
>         <OrchestrationStep Order="6" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
>           <Preconditions>
>             <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
>               <Value>isKnownCustomer</Value>
>               <Value>True</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>           </Preconditions>
>           <ClaimsProviderSelections>
>             <ClaimsProviderSelection TargetClaimsExchangeId="ADFS" />
>             <ClaimsProviderSelection TargetClaimsExchangeId="FOCAAAD" />
>           </ClaimsProviderSelections>
>         </OrchestrationStep>
>         <OrchestrationStep Order="7" Type="ClaimsExchange">
>           <Preconditions>
>             <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
>               <Value>objectId</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>             <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
>               <Value>isKnownCustomer</Value>
>               <Value>True</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>           </Preconditions>
>           <ClaimsExchanges>
>             <ClaimsExchange Id="ADFS" TechnicalProfileReferenceId="ADFS-SAML" />
>             <ClaimsExchange Id="FOCAAAD" TechnicalProfileReferenceId="AAD-OIDC" />
>           </ClaimsExchanges>
>         </OrchestrationStep>
>         <!-- For social IDP authentication, attempt to find the user account in the directory. -->
>         <OrchestrationStep Order="8" Type="ClaimsExchange">
>           <Preconditions>
>             <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
>               <Value>isKnownCustomer</Value>
>               <Value>True</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>           </Preconditions>
>           <ClaimsExchanges>
>             <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
>           </ClaimsExchanges>
>         </OrchestrationStep>
>         <!-- Still dont have objectId (social idp user that doesnt yet exist) - write the account -->
>         <OrchestrationStep Order="9" Type="ClaimsExchange">
>           <Preconditions>
>             <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
>               <Value>objectId</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>           </Preconditions>
>           <ClaimsExchanges>
>             <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
>           </ClaimsExchanges>
>         </OrchestrationStep>
>         <OrchestrationStep Order="10" Type="ClaimsExchange">
> <!--           <Preconditions>
>             <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
>               <Value>isKnownCustomer</Value>
>               <Value>True</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>           </Preconditions>
>  -->      
>           <ClaimsExchanges>
>             <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
>           </ClaimsExchanges>
>         </OrchestrationStep>
>         <!-- Add orchestrion step for TOU HERE before 11 -->
>         <!-- Start of Term of Service Acceptance Stesps -->
>         <!--Sample: Will redirect user to a TOS acceptance page if earlier claim transformation has determined required -->
>         <OrchestrationStep Order="11" Type="ClaimsExchange">
>           <Preconditions>
>             <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
>               <Value>renewalTOSrequired</Value>
>               <Value>False</Value>
>               <Action>SkipThisOrchestrationStep</Action>
>             </Precondition>
>           </Preconditions>
>           <ClaimsExchanges>
>             <ClaimsExchange Id="RefreshTOS" TechnicalProfileReferenceId="SelfAsserted-RefreshTOS" />
>           </ClaimsExchanges>
>         </OrchestrationStep>
>         <!--Sample: This steps reads the directory again to refresh the variable of the TOS stored on the user object. If you do not plan
>         on sending the TOS version in a claim to the application, you can remove this step.-->
>         <OrchestrationStep Order="12" Type="ClaimsExchange">
>           <ClaimsExchanges>
>             <ClaimsExchange Id="AAD-ReadTOS" TechnicalProfileReferenceId="AAD-ReadTOS" />
>           </ClaimsExchanges>
>         </OrchestrationStep>
>         <!-- End of Term of Service Acceptance Stesps -->
>         <OrchestrationStep Order="13" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
>       </OrchestrationSteps>
>       <ClientDefinition ReferenceId="DefaultWeb" />
>     </UserJourney>
>   </UserJourneys>
>   <RelyingParty>
>     <DefaultUserJourney ReferenceId="SignIn" />
>     <!-- Enable Java Script Execution -->
>     <UserJourneyBehaviors>
>       <ScriptExecution>Allow</ScriptExecution>
>     </UserJourneyBehaviors>
>     <TechnicalProfile Id="PolicyProfile">
>       <DisplayName>PolicyProfile</DisplayName>
>       <Protocol Name="OpenIdConnect" />
>       <OutputClaims>
>         <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="firstname" />
>         <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
>         <OutputClaim ClaimTypeReferenceId="identityProvider" />
>         <OutputClaim ClaimTypeReferenceId="email" />
>         <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
>         <OutputClaim ClaimTypeReferenceId="identityProviders" />
>         <!--Sample: Additional claims are not required and were used for testing purposes only -->        
>         <!--Sample action Required: Remove after testing--><OutputClaim ClaimTypeReferenceId="extension_AgreedToTermsOfService" />
>         <!--Sample action Required: Remove after testing--><OutputClaim ClaimTypeReferenceId="policyTOSversion" />
>         <!--Sample action Required: Remove after testing--><OutputClaim ClaimTypeReferenceId="renewalTOSrequired" />
>       </OutputClaims>
>       <SubjectNamingInfo ClaimType="sub" />
>     </TechnicalProfile>
>   </RelyingParty>

Hello!

I have my custom policy to sign up an user using local account and it works fine. I also have the link for the "Forgot password" and the Reset policy. If I test only the reset policy, it works. However, the forgot password link doesn't redirect the user to that policy.
How do I configure that? I read the documentation but it's not clear to me.

Thank you

I'm following the instructions at https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple to add "Sign in with Apple" as a B2C identity provider.

I got to the very last step, and when I click Save I get the error "The issuer 'https://appleid.apple.com' found at the metadata endpoint {my endpoint} is already in use by an identity provider.

Are those instructions still valid?

I just asked this question @ StackOverflow: https://stackoverflow.com/q/58032292/114029

Hi!
Every time we arrive at Sigin page, the "Register now" generates a new URL with a token (that expires). I want to move the "Register Now" outside of Sign In page, we want to put the option to Sign Up on App front end, where the user can click for sign in or for sign up. Is it possible?

There are a couple of references to https://fido2node.azurewebsites.net/, which actually produces a 403 error

I've modified and uploaded the xml to the B2C tenant, enabled a user account to be able to impersonate, but the JWT token I get back can not be used on the API. I get 401.
Below are two tokens, one which works and other which does not (from impersonation flow).

Works:
{ "iss": "https://tenant.b2clogin.com/guid/v2.0/", "exp": 1580416129, "nbf": 1580412529, "aud": "guid1", "oid": "guid2", "sub": "guid2", "name": "John Doe", "given_name": "John", "family_name": "Does", "extension_UserRole": "Customer", "extension_UserType": "Customer", "impersonatedUser": "[email protected]", "tfp": "B2C_1A_Impersonation", "nonce": "defaultNonce", "scp": "read", "azp": "guid3", "ver": "1.0", "iat": 1580412529 }

Does not work (code 401):
{ "iss": "https://tenant.b2clogin.com/guid/v2.0/", "exp": 1580421015, "nbf": 1580417415, "aud": "guid1", "oid": "guid2", "sub": "guid2", "name": "John Doe", "given_name": "John", "family_name": "Does", "extension_UserRole": "Customer", "extension_UserType": "Customer", "impersonatedUser": "[email protected]", "nonce": "defaultNonce", "scp": "read user_impersonation", "azp": "guid3", "ver": "1.0", "iat": 1580417415 }

Any hint would be appreciated.

Hi

The flow for this example"home-realm-discovery-modern" :

1. One screen to enter the email:
   
2. IF the email domain is not on the list of known external providers, then is a LocalAccount, we will prompt another screen:
   
3. IF the email domain is ON the list of known external providers, then call the other provider:
   

One Question:
Is it possible to have only one screen for entering the information for the login (username, and password), and from that screen continues the flow either for the login for a local account (login-NonInteractive) or call the other Provider (like AAD or Microsoft)?
Only one screen like this one:

I tried to implement it, these are the steps that I followed:

1. This step to get the email and the password from the user ( i am saving the password on plain text on other claim to be able to use it as OutputClaim)
   OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.localaccountsignin">
   ClaimsProviderSelections>
   ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange2" />
   ClaimsProviderSelections>
   ClaimsExchanges>
   ClaimsExchange Id="LocalAccountSigninEmailExchange2" TechnicalProfileReferenceId="SelfAsserted-Signin-Email"
   
   
2. to be able to pass the claimprividerSelection:
   OrchestrationStep Order="3" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
   Preconditions>
   Precondition Type="ClaimEquals" ExecuteActionsIf="false">
   Value>isKnownCustomer
   Value>False
   Action>SkipThisOrchestrationStep
   Precondition>
   Preconditions>
   ClaimsProviderSelections>
   ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninEmailExchange" />
   ClaimsProviderSelections>
   OrchestrationStep>
3. Call login-NonInteractive directly from the OrchestrationStep, passing the password and the email.
   OrchestrationStep Order="4" Type="ClaimsExchange">
   Preconditions>
   Precondition Type="ClaimEquals" ExecuteActionsIf="false">
   Value>isKnownCustomer
   Value>False
   Action>SkipThisOrchestrationStep
   Precondition>
   Preconditions>
   ClaimsExchanges>
   ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="login-NonInteractive" />
   ClaimsExchanges>
   OrchestrationStep>
   4)The other steps are exactly the same as the example for the External Provider.

The call for the External provider is working perfectly on my example BUT, if I try to login with a local account, I have an error on step number 3 (login-NonInteractive) :

After successfully registering the user via the invite link the following error occurs when redirecting to SPA.

AuthError: Unexpected error in authentication.: Hash does not contain state.

This occurs in Google Chrome and Firefox

Further info here

Hi there, I noticed a difference in the setting below between the the AD implementation and the one in the Bearer token sample:

Would you help me understand where I could learn where one would be chosen over the other?

I would like to create the following flow.

0. Regsiter B2C user with authentication phone number.(Before start this flow)
1. Input signInName(User operation)
2. Send verification code for using the authentication phone number(AAD process)
3. The user input verification code(User operation)
4. The user input new and same password for reset password(User operation)
5. A application will get token

Do you have a sample that shows you how to create this flow?
Or can you tell me which samples I should choose to create this flow?

I think that this flow has some key points:

• How AAD search the authentication phone number use signInName?
• How move from step of 3. to step 4. ?

It would be very helpful if you could provide us with these samples.

Hi,

I want to uniquely identify the user's machine other than IP addresses and want to store it into the claims as well. Is there any method to get MAC address of the user's machine using the custom policies flow or is there any other way to uniquely identify the user's machine. The reason behind why I don't want to go with the IP address is that this approach cannot uniquely identify the user's machine if all the machines are on the same network let's say on an organisational network. In that case it will give me the public IP address which I don't want because public IP address will be same for all the machines inside that network.

I'm struggling to find out how to Implement progressive profiling as demonstrated in this video: https://youtu.be/GmBKlXED9Ug?t=433

I want to collect additional input from the user on subsequent logins. I'm looking for where to start, documentation or examples. I've struggled so far to find anything

Hi!
Following the same logic, I'd appreciate to know what the best approach for embedding a redirect from the password policy back to the sign-in policy is upon clicking the reset button.

Clearly, the intent is to no longer have to validate that obscure error code returned to the application, but rather keep the user's experience without leaving the page and redirecting him or her through a number of different URLs.

Worth pointing out is that the user might cancel inputing his/her e-mail address, cancel inputing the validation code received in via the password reset e-mail or cancel actually inputing a new password.
Taking the user back to the app means that any chance he/her did on the B2C ui in terms of the displayed language, is lost. Specifically, if during the B2C UI experience I'm changing the default display language to Spanish, once I go to the reset password experience (thanks to this sample), the language is maintained. But if I click cancel, I'll see the default language again, which is extremely inconvenient.

In the custom email verification sample, it uses a POST to a rest API from the client-side javascript to send an email.

This seems ripe for abuse if left unsecured. How do you recommend this be secured, otherwise, should it be a server-side call?

/cc @yoelhor

Nothing fancy. Simply changed needed fields and applied templates to blank B2C directory with no users. Account creation comes back with the error message:
"A user with the specified ID already exists. Please choose a different one."
When I go check the directory I see that even though the error was thrown, it was indeed created there. I try to then log in with the user name and password I put in registration screens and receive:
"Invalid username or password."
I am not sure what is happening as I have done zero customizations. I thought the example on Github would work out of the box :-(

If GivenName/Surname are selected in User attributes, then the user is asked to enter these explicitly, when instead they should be extracted from social providers.

If GivenName/Surname are not selected in User attributes, then they do not appear to the application in the list of claims, even when selected under “Application claims”.

As a result, to avoid the user having an extra step of re-entering first name and surname, this information must be extracted from the Name claim and parsed into GivenName and Surname. This workaround is not perfect as parsing a Name into GivenName and Surname is not guaranteed to work.

Is this a known issue in AD B2C?

In the "Impersonation Flow for Azure AD B2C - https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation " procedure, instead of having the users populate the "extension_GUID_can_impersonate" attribute using the Azure Graph API Explorer ( https://graphexplorer.azurewebsites.net/ ), you can have them utilize the Microsoft Graph API Explorer ( https://developer.microsoft.com/en-us/graph/graph-explorer) . Listed below is what they can do.

• I am assuming you created the "extension_GUID_can_impersonate" attribute using either the Azure B2C Portal Blade ( Define custom attributes in Azure Active Directory B2C - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-custom-attr ) or the Azure Graph API per the GitHub ( Extend Azure Active Directory Schema using Graph API - https://blogs.msdn.microsoft.com/aadgraphteam/2014/03/05/extend-azure-active-directory-schema-using-graph-api-preview/ )

• Go to the Microsoft Graph Explorer ( https://developer.microsoft.com/en-us/graph/graph-explorer ) and log into the App using an account that can consent and modify the user's accounts ( example: Global Admin )

• Verify that the "extension_GUID_can_impersonate" attribute does exist using the following request.

  GET https://graph.microsoft.com/beta/applications/{Application_Object_ID}/extensionProperties

• Display the user you wish to modify to verify that the extension attribute is not populated for them

  GET https://graph.microsoft.com/beta/users/{GUID_or_UPN}

• Modify the user object to populate the extension attribute

  PATCH https://graph.microsoft.com/beta/users/{GUID_or_UPN}
  {
  "extension_GUID_can_impersonate": '1'
  }

  NOTE: If successful, you should see an HTTP 204 return

• Verify that the extension attribute now exist for the user and is populated:

  GET https://graph.microsoft.com/beta/users/{GUID_or_UPN}

After doing this, the Impersonation Flow for Azure AD B2C policy should work as desired

Azure B2C is gives a false impression that the user is in the directory when they try to reset their password.

Following is steps in reset password:

1. User clicks the Reset Password link
2. B2C presents a page with “Email Address” field and says “Verification is necessary. Please click Send button.”
3. User enters his email address and clicks “Send Verification Code”
4. B2C sends the verification code this that email address (Even if no user is associated with that email address. This is where the user thinks he is registered with the system)
5. Now the user enters the verification code he received and click “Verify Code”
6. B2C validated the code and says “E-mail address verified. You can now continue” (This is the step where they become confident that they exist in the system)
7. Now when the users click “Continue” they get the error “An account could not be found for the provided user ID.” As given in the screenshot.

Confirming an email that is not associated with a user completely confuses them.

i found this but not getting exactly how to use these policy along with this .

We've been waiting to implement Sign in with Apple through AADB2C until after it is out of beta. The sample related to this still has a disclaimer saying that it is in beta. However, I've been checking up on it periodically and I finally found this post that says it's now GA: Post GA Revisit of Sign in with Apple. Is it now safe to use the sample code in production? If so, you might want to review the sample to ensure it's up-to-date and remove the beta disclaimer.

The sample for "password reset only" works great.
https://github.com/azure-ad-b2c/samples/tree/master/policies/password-reset-only

The TrustFrameworkExtensions file has the below content.

<ClaimsTransformations> <!--Demo: this claims transformation populates the userMessage with the text we want to show to the end user--> <ClaimsTransformation Id="GetPasswordResetUserMessage" TransformationMethod="CreateStringClaim"> <InputParameters> <InputParameter Id="value" DataType="string" Value="Your password has been successfully updated. To continue click on the sign-in link below." /> </InputParameters> <OutputClaims> <OutputClaim ClaimTypeReferenceId="userMessage" TransformationClaimType="createdClaim" /> </OutputClaims> </ClaimsTransformation> </ClaimsTransformations>

How can I add an Anchor tag here to show a link along with some friendly text. I tried to HTML Encode a string with an Anchor tag but it just renders as plain text without parsing the HTML parts.

Hello,

I followed the instructions to use a self signed certificate and created one using powershell. In B2C I then created a policy key container (type RSA, usage Signature). But when I upload the PFX from my self signed certificate, I get this error: "The key 'B2C_1A_CustomTokenSigningKeyContainer' has failed to be created. The uploaded key is badly formatted. Reason: 'The key container has a different use than the new added key'."

Has anybody successfully followed the instructions for this sample? Any clues?

Thanks!

Greetings,

I'm trying to get the sample project, from this repo at the following URL, to work ...

https://github.com/azure-ad-b2c/samples/tree/master/policies/invite

The sample project includes a custom B2C policy, SignUpInvitation.xml, and a web project. It's my basic understanding that the included custom policy essentially requires a signed token in order to access the policy. The sample basically uses this as an "invitation" step to restrict access to the sign up policy. This is what I am after and so I do believe this sample is pointing me in the right direction. I'm just trying to get it to work, now.

My issue is that, after configuring what I believe to be all the required settings, I am getting an error from within the B2C policy - I think. So, I'll first walk through the steps of how I produce the error ...

producing the error

I run the provided web project and put in my email and then click invite. I receive the invitation email, which contains the link to the custom B2C policy - SignUpInvitation.xml. I click the link and am taken to the policy, but am given a page that says that an exception has occurred - "AADB2C: An exception has occurred."

Unable to find any additional debug info, we added our Application Insights configuration to the custom policy so that it logs output to App Insights. Now, within AI, I can see that the policy is producing the following error ...

  {
    ""Kind"": ""Action"",
    ""Content"": ""Web.TPEngine.StateMachineHandlers.GetRelyingPartyInputClaimsHandler""
  },
  {
    ""Kind"": ""FatalException"",
    ""Content"": {
      ""Time"": ""7:05 PM"",
      ""Exception"": {
        ""Kind"": ""Handled"",
        ""HResult"": ""80004003"",
        ""Message"": ""Object reference not set to an instance of an object."",
        ""Data"": {}
      }
    }
  }

So, there is a clear error, but still the message is a bit vague. And this is where I'm stuck. I'm unsure how to further debug this and pinpoint what is causing the reference error.

things I looked into

I have spent several days debugging this, and so through that course of debugging I've looked at basically every little bit of info that I could find regarding this. I'm just not well versed in the B2C policy XML scripts, and that seems to be a very deep and technical topic. It's a topic I am interested in learning, but just need some help on how to debug the scripts, etc.

One thing I did notice is that the Action in the above error mentions that it's getting the input claims. So, it looks to me like perhaps there is an issue in the policy, or my configuration, in getting the claims. So, I went up the "stack trace", in App Insights, for the above message and found the following action and result ...

  {
    ""Kind"": ""Predicate"",
    ""Content"": ""Web.TPEngine.StateMachineHandlers.InitiatingMessageValidationHandler""
  },
  {
    ""Kind"": ""HandlerResult"",
    ""Content"": {
      ""Result"": false,
      ""RecorderRecord"": {
        ""Values"": [
          {
            ""Key"": ""Validation"",
            ""Value"": {
              ""Values"": [
                {
                  ""Key"": ""SubmittedBy"",
                  ""Value"": ""Application""
                },
                {
                  ""Key"": ""ProtocolProviderType"",
                  ""Value"": ""OpenIdConnectProtocolProvider""
                }
              ]
            }
          }
        ]
      },
      ""Statebag"": {
        ""MSG(e4c7c6a9-8023-4cf7-9a34-c920e8325284)"": {
          ""c"": ""2020-03-20T19:05:48.1325292Z"",
          ""k"": ""MSG(e4c7c6a9-8023-4cf7-9a34-c920e8325284)"",
          ""v"": ""{\""TenantId\"":\""wibradixdev.onmicrosoft.com\"",\""PolicyId\"":\""B2C_1A_signup_invitation\"",\""RedirectUri\"":\""https://jwt.ms/\"",\""AdditionalParameters\"":{\""TEST\"":\""TEST\"",\""p\"":\""B2C_1A_signup_invitation\""},\""Nonce\"":\""0eefd73e94224dc69d8766dd219180e6\"",\""ClientId\"":\""30639331-3c2c-4ade-8c36-814dfe007170\"",\""ResponseType\"":\""id_token\"",\""ResponseRedirector\"":{\""URI\"":\""https://jwt.ms\"",\""D\"":false,\""WF\"":true},\""Scope\"":\""openid\"",\""AppModelVersion\"":1,\""ScopedProviders\"":[]}"",
          ""p"": true,
          ""t"": ""OAuth2""
        },
        ""CMESSAGE"": {
          ""c"": ""2020-03-20T19:05:48.1325292Z"",
          ""k"": ""CMESSAGE"",
          ""v"": ""e4c7c6a9-8023-4cf7-9a34-c920e8325284"",
          ""p"": true
        },
        ""IMESSAGE"": {
          ""c"": ""2020-03-20T19:05:48.1325292Z"",
          ""k"": ""IMESSAGE"",
          ""v"": ""e4c7c6a9-8023-4cf7-9a34-c920e8325284"",
          ""p"": true
        },
        ""ComplexItems"": ""_MachineEventQ, TCTX, ORCH_IDX, REPRM, IC""
      },
      ""PredicateResult"": ""True""
    }
  }

This action seems to be doing some type of validation, but I noticed that the result returns false, which usually means some sort of failure? I'm unsure in this case.

how do I proceed ?

Can you please help me out or point me in the right direction on how to figure this out? I deployed the sample web project to Azure, and you can access that here if you'd like to see what I'm seeing. If you have access to App Insights, you might be able to access my logs using the below information. The error in question occurred on 3/24/2020, 3:45:28.039 PM, with ikey and itemid 5d95a95b-6887-4798-a984-98a0a9d32d53 8a3a3e80-6de6-11ea-a0a3-ab73ec95556d.

App Insights Subscription Id: 265b7109-497d-42bc-8a20-fa6399a96a9c
App Insights Instrumentation Key: 5d95a95b-6887-4798-a984-98a0a9d32d53

Also, I attached the error message output here just in case you cannot see them in App Insights.

error_message.txt

Thank you!

I took the default home realm discovery policy and ran with it which is using domain_hint to select IdPs. This works pretty well for a case of serving many customers that have different domains (or lists of IdPs). I am wondering though if it possible to extend that paradigm to prompt for a domain if the domain_hint is not passed? I have tried a couple times with self-asserted claim but don't seem to be able to get it working together. Ideally, the same logic of matching to a knownDomain could be used whether domain_hint passed or prompted.