The documentation for Azure AD B2C says "Base file - Few modifications are required to the base". I expected to change just the TenantId and PublicPolicyUri at the beginning of the file.
I was surprised to find that a Facebook ClaimsProvider is defined in the base file. Shouldn't that be in TrustFrameworkExtensions.xml? If I don't want to use Facebook, I have to make lots of changes to TrustFrameworkBase.xml.
I got my TrustFrameworkBase.xml from the SocialAccounts folder of the start pack GitHub repository that is referenced in the documentation. Is there a better place to get a TrustFrameworkBase file?
Facebook is there because it is a social account and it shows how to integrate one.
Use local accounts.
Related
I am trying to publish a Google Sheets Add-on. I am working on the Google Workspace Marketplace SDK configuration. The configuration automatically includes the following 2 scopes as defaults:
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
The Add-on has no reason to access the user's email or profile. Why are these added? Can I delete them? The only scopes that the script code should need are:
https://www.googleapis.com/auth/script.container.ui
https://www.googleapis.com/auth/spreadsheets.currentonly
When I go to create the OAuth Consent Screen. I am told that I need to create "A Youtube video showing how you plan to use the Google user data that you get from scopes". Am I being asked to do this because of these default scopes that are included?
EDIT: I deleted these 2 scopes and did a SAVE. It confirmed that the edits were saved. But when I refreshed the page, the scopes were back!
The reason why the Trust and Safety team is asking you for the video is because this:
1-Most of the apps that will be public, require certain steps. So the video is one of those.
2-Now, the main reason for the video, is because the scope https://www.googleapis.com/auth/script.container.ui is part of the restricted scopes. And according to the documentation it needs to go through the verification.
So basically the reason for the video is because you have a restricted scope because this scope allows you to display and run third-party web content in prompts and sidebars inside Google applications. Therefore, it is important for the verification process.
Now in regards to your concern of the default scopes, I was able to remove them and create OAuth consent screen without them.
While the Azure Starter Pack for B2C is helpful for getting started with creating custom policies, is there an actual list of built-in claims that one can reference? There are several claims that are referred in several of the files, though I have no clue of their purpose or why they're needed (for example upnUserName, nca, resource_id, etc.).
I did find some pages, such as Graph API reference or Customize Claims, though I'm not sure if these are the goto page for getting all built-in claims.
You can find list of all such claims from two places
User profile attributes documentation - https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes#azure-ad-user-resource-type
User attributes blade in Azure Portal. The Built in user attributes are almost same for user flows and custom policies.
I am struggling at the Sign-In functionality of an existing user in Azure Active Directory B2C. I had followed this link for implementing the custom claims in JWT token using custom policies. After modifying the TrustFrameworkBase.xml, TrustFrameworkExtensions.xml & SignUpOrSignin.xml file as per my need by following the same link, I uploaded those files on azure and was trying to run user flow from the azure. Now the issue I am facing currently is that Sign-In functionality is not working. It is giving me the error Unable to validate the information provided. (See the screenshot attached)
Don't know where I am doing wrong.
Any help in this regard would be really helpful.
Update: After adding the Application Insights in my SignUpOrSignIn.xml file, Now I am able to get the exact error i.e The claim type "objectId", designated as the identifier claim type, could not be found in the claims collection for the claims principal in tenant id "B2C_1A_signup_signin".
But don't know at which step I am missing it or how to modify the policy to run it successfully.
After struggling to find the solution of the problem mentioned from 3 days, finally I was able to solve the problem.
I removed the tag
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteProfileUsingObjectId" /> mentioned under Technical Profile tag with Id SelfAsserted-LocalAccountSignin-Email in TrustFrameworkBase.xml file. Now I am able to subsequently sign in using ADB2C.
I am using custom policies to enable mobile number authentication in my mobile app.
I have used custom UI files to manage the UI of the policies using blob storage as given in the following link:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-ui-customization-custom
Now i want to give support to Chinese language for sign in, sign up and password reset policy. for that i am following Microsoft document :
https://learn.microsoft.com/bs-latn-ba/azure/active-directory-b2c/localization#set-up-localization
along with some reference document i found on git:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Migration-JIT-sample/B2C_1A_Demo_Base.xml
FYI,
I have used this MS link to get started with custom policies:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
but i wanted mobile authentication instead of email so i made changes as given in this stackoverflow link:
Can Azure-AD B2C use a mobile telephone number as a username?
i am following the exact steps given in the document but when i run the policy it gives me the error as :
One of the request inputs is out of range.
after following the steps it generates url like this:
https://smarthomestgdev.blob.core.windows.net/en/b2cpagelayout/signup.html
the url is correct but it does not render any sign up page and gives blank page.
Can anyone help me solving the issue?
If I create a blueprint at apiary.io, then grant Editor rights to a few other folks, is there any lingering specialness about "me"?
If so, how can I figure out who "owns" the bp?
In particular, I have created Apiary accounts for several email addresses, and made them all editors. I'm now trying to use the CLI (github: apiaryio/apiary-client). It tells me "403 Forbidden" when I use a token generated (at login.apiary.io/tokens) for several "Editor" accounts. How can I pick the "true owner" account (which, obviously, I've forgot) to try the CLI against?
You can find the owner name in the documentation header on the left, under the API Project name.
For team APIs, that would be the team name, for personal APIs, it's the name of the user.
To answer your initial question, the owner can access and change the API Settings (e.g. change API Project visibility, connect the API Project to GitHub, etc.). Additionaly, if the owner is a member of a team, they can transfer ownership of their personal API Project to the team.