I have B2C tenant xxx.onmicrosoft.com and account admin#xxx.onmicrosoft.com.
I have API Connector (Azure Function called B2CRoleAssignment) that gets triggered before including application claims in token (Preview).
When I first attempt to sign into my SPA application with admin#xxx.onmicrosoft.com this is the following payload my API Connector (Azure Function) receives:
{
"step":"PreTokenIssuance",
"client_id":"XXXXYYYY-XXXX-YYYY-ZZZZ-d6b8da8e942a",
"ui_locales":"en-US",
"email":"admin#xxx.onmicrosoft.com",
"objectId":"AAAABBBB-CCCC-DDDD-EEEE-ad37b0ec108e",
"displayName":"admin"
}
When I close my SPA application and open it again, this is the payload API Connector (Azure Function) receives:
{
"step":"PreTokenIssuance",
"client_id":"XXXXYYYY-XXXX-YYYY-ZZZZ-d6b8da8e942a",
"ui_locales":"en-US",
"objectId":"AAAABBBB-CCCC-DDDD-EEEE-ad37b0ec108e",
"displayName":"admin"
}
How come the email claim is missing? On my Sign up and sign in User Flow I have selected Email Addresses application claim, but that doesn't seem to be working or doing anything at all.
The interesting thing is, this appears to only be a problem with accounts ending with #xxx.onmicrosoft.com.
• The email claim is missing during the sign in and signup user flow when selecting the API connector because the Azure function app is being considered by the Azure AD B2C as an untrusted domain website/application since the session is interrupted by closing and reopening the same due to which the session token might be considered expired/invalid immediately. As a result of which, the ‘email’ claim is omitted.
Thus, because of this, the email claim attribute might be returned null in the ‘application/json’ file as its value in the column might be missing or unknown. Hence, I would suggest you to please use the custom policies for signin or signup instead of default user flows in the Azure AD B2C console. Also, ensure that in the sign in and sign-up custom policy starter pack or the default custom policy in which editing needs to be done, do add the below claims in the custom policy output claims such that you will get the ‘email’ as an attribute in the response decoded token since adding the below claims will allow you to sign in through multiple claim attributes and you might not be getting email claim when using other claim types other than email.
<!-- This was already here -->
<OutputClaim ClaimTypeReferenceId="email" />
<!-- Added claim -->
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress"
PartnerClaimType="email" />
To find the default custom policy starter pack, refer the below link for more details: -
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
Also, to know more regarding the above issue and its accepted solution, kindly refer to the below community link: -
Why is email not returned with api connector when SSO with azure b2c?
Related
We are using custom policies with ADB2C and are passing ui_locales in the signup_signin url for the localization. However, B2C doesn't propagate this to the Self Service Password Reset flow. We set it up following the instructions here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy#self-service-password-reset-recommended
Is there a way to propagate ui_locales to Password Reset form in Custom Policies? The url for Password Reset is out of our control and is constructed by B2C itself.
• Yes, you can surely configure the page localization option for the ‘Password Reset’ policy page by configuring the ‘Azure AD B2C Embedded Password Reset’ flow wherein the default ‘Password Reset’ flow policy gives out the error code ‘AADB2C90118’ when a specific password reset policy is not invoked through the custom policy.
• Thus, to use the ‘Azure AD B2C Embedded Password Reset’ flow policy in your Azure AD B2C Custom policy, kindly follow the below link for more details wherein the ‘B2C_1A_Demo_SignUp_SignIn_SSPR’ custom policy is used instead of the default ‘SigninOrSignUp’ starter policy: -
https://github.com/azure-ad-b2c/samples/tree/master/policies/embedded-password-reset/policy
If you use the above specified custom policy, then ensure to include the below ‘Localization’ element in the ‘TrustedFrameworkExtensions.xml’ file such that supported languages are made available in the custom policy accordingly: -
<Localization Enabled="true">
<SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll">
<SupportedLanguage>en</SupportedLanguage>
<SupportedLanguage>es</SupportedLanguage>
</SupportedLanguages>
</Localization>
• Once, the above localization code is made available in the ‘TrustedFrameworkExtensions.xml’ file, ensure that the below option in the image occurs for you to translate the ‘Reset Password’ to be able to display as shown below such that when selected, the respective language is available for display and resetting the password.
To know more about this, please refer the below link for more details: -
AD B2C - ui_locales not propagated from SignIn to PasswordReset
I have a trust framework SignUpOrSignIn custom policy user flow which sets 3 extension attributes for an app.
I can see these 3 claims and their default values in the token.
However, when I GET the user via MS Graph API (https://graph.microsoft.com/beta/{tenantId}/users/{userId}), I do not see these extension attributes.
Once I PATCH the user, I can then see the value via the GET to the {userId} segment as expected.
PATCH
{
"extension_{appId}_subscription_expiry":"2020-04-10"
}
Why are any extension attributes not returned until they've been subsequently PATCHed?
Although you have set default values for the 3 extension attributes in your custom policy, you can only see them in the token after your sign-up at that time. But you didn't store them into Azure AD.
I guess that you just add such a code <OutputClaim ClaimTypeReferenceId="extension_subscription_expiry" AlwaysUseDefaultValue="true" DefaultValue="xxx" /> in your SignUpOrSignIn.xml file.
But if you want to store the values into Azure AD, you should write the custom claim to the user profile by using AAD-UserWriteUsingLogonEmail TechnicalProfile. See Read and write a claim.
You should finish all the steps listed in this document: Add claims and customize user input using custom policies in Azure Active Directory B2C
Is there a way to do Rest API calls during Sign In in Azure AD B2C policy?
I want to add few properties in claims at the time when user sign in to the application. I can see that it is possible while sign up
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom
But is it possible during Sign In as well ?
If you are using custom policy, it's very similar to Sign-up. You create the technical profile for your REST endpoint and use it either as a ValidationTechnicalProfile in your 'sign-in' technical profile or add it as an orchestration step - depends what you want to do.
Any particular problem you are facing while adding this in your sign-in journey?
I don't have any issue while I am adding sing-in journey.
can call REST API successfully and can received other input values except password value.
Below is the output result from my function app:
GetExternalSystemIdOnLogin got request body:
{
"email": "xxxx#test.com",
"objectId": "dec23a2c-64c3-49c4-9943-4cfe0cffa0ed"
}
I try to build an invitation flow using custom policies.
My approach was to combine the invitation part of the WingTipGamesB2C policies with the custom policy starter pack.
The invitation seems to work fine; when using the invitation link and providing the user data (display name, password), the user is created in the Azure AD.
But I am not able to login with this user; the sign in dialog shows "Invalid username or password." (while with a wrong password "Your password is incorrect" is shown).
Using the builtin signin policy, the login works as expected.
b2crecorder shows the following log:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Using validation endpoint at: https://login.microsoftonline.com/foo.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(c693a69c-4a15-4ef5-b85d-a9a6a3f3298f) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
This looks like the same error as in this question, but should be a different problem, as the problem was the "forceChangePasswordNextLogin" flag in there, while the users that are created by the invitation should not have this flag.
I checked that the IdentityExperienceFramework and ProxyIdentityExperienceFramework apps are correctly created and permissions are granted. They are also referenced as documented in the TrustFrameworkExtensions.xml.
How can I fix this? What can I do to further debug this problem? I used both Application Insights and the b2crecorder without getting enough information about the failure.
Additional information:
* The custom signup does also not work
* Signing up/in via 3rd party IDP (Google) works
I just found out what my problem was; In the login-NonInteractive technical profile, I replaced the strange looking <Item Key="ProviderName">https://sts.windows.net/</Item> by some nice looking name, assuming that it was just some irrelevant string (e.g for the google IdP, I could use <Item Key="ProviderName">Google</Item> ...)
Well, it seems to be important. When restoring the original providername, signin works perfectly.
Just answering my own question here, as I hope this will save somebody else's time.
I have followed the Getting Started workflow here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-get-started-custom
I followed it from scratch, twice, and have both times when trying to sign in with the sign-in & sign-up custom policy I am prompted with 'Your password is incorrect'. How can I properly authenticate?
Things that are working:
When I do signup the user journey completes, and the user is added to the directory
Using built in policies I can sign in and sign up
Using built in policies I can sign in with a user who I used the custom policy to sign up for
Using Application Insights I can see the following errors. (some sanitation applied)
"ValidationRequest":{
"ContentType":"Unspecified",
"Created":"2017-10-06T17:19:34.3995426Z",
"Key":"ValidationRequest",
"Persistent":true,
"Value":"client_id=55555555-5555-5555-5555-555555555555&resource=cccccccc-cccc-cccc-cccc-cccccccccccc&username=MYUSERNAME&password=PASSWORDIENTEREDONSCREEN&grant_type=password&scope=openid&nca=1;1;login-NonInteractive;False"
},
"ValidationResponse":{
"ContentType":"Json",
"Created":"2017-10-06T17:19:34.3995426Z",
"Key":"ValidationResponse",
"Persistent":true,
"Value":"{\"error\":\"invalid_client\",\"error_description\":\"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.\\r\\nTrace ID: 55555555-cccc-cccc-cccc-555555555555\\r\\nCorrelation ID: 77777777-7777-7777-7777-777777777777\\r\\nTimestamp: 2017-10-06 17:19:33Z\",\"error_codes\":[70002],\"timestamp\":\"2017-10-06 17:19:33Z\",\"trace_id\":\"55555555-cccc-cccc-cccc-555555555555\",\"correlation_id\":\"77777777-7777-7777-7777-777777777777\"};1;login-NonInteractive;False"
},
The important bit seems to be:
"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion"
Also later it says:
"Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown."
Some things I've double checked:
In my Identity Experience Framework > Policy Keys, I have the following 4 keys after following the steps in the guide:
B2C_1A_AdminClientEncryptionKeyContainer
B2C_1A_FacebookSecret
B2C_1A_TokenEncryptionKeyContainer
B2C_1A_TokenSigningKeyContainer
In the regular AAD > App registrations, I have the applications:
IdentityExperienceFramework
ProxyIdentityExperienceFramework
And ProxyIdentityExperienceFramework has delegated Access IdentityExperienceFramework permissions from IdentityExperienceFramework.
And I've hit Grant permissions for both apps.
Both application Ids were properly substituted in the TrustFrameworkExtensions.xml, two places each
Any help is much appreciated. Thank you.
Your ProxyIdentityExperienceFramework app was incorrectly created as a Web App/API. You need to recreate it as a Native app. Make sure you don't forget to update the client_ids in your base policy to the new ProxyIdentityExperienceFramework accordingly.
The error AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion occurs when you try to obtain a token using a client_id for an application that was registered as a Web App/API but are not providing the required client_secret. In the case of Native app, there is no client_secret required.
When sign in, Azure AD B2C's trust framework (the thing that executes custom policies) internally attempts to obtain a token for the IdentityExperienceFramework app (Web API) using the ProxyIdentityExperienceFramework app (Native app). If you incorrectly create the latter as a Web App/API, B2C's policy engine will fail to obtain the token which manifests itself as a Your password is incorrect error message to the user.