I am putting together a PoC to show Sign In followed by selection of a value from a dropdown box that is populated from an external API.
Standard Sign In is perfect and the example at https://github.com/azure-ad-b2c/samples/tree/master/policies/selectemail is great but I need to chain the 2, eg must successfully sign in first and then call the API to retrieve data for the user to select.
I know that this can be done with a 3rd part application between B2C and the end application but I am trying to avoid that. Can anyone point me to how I would go about doing this?
Concatenate the user journey steps in the sample with the user journey you have. And concatenate the technical profiles in that sample into the policy file you are currently using (eg TrustframeworkExtensions).
Now you will have sign in -> rest api call -> display dynamic drop down box page.
Related
I understand how to brand my login form but how to customize the workflow that Azure provides?
Currently the Sign-up form looks like this:
Which is really unlogical. The text boxes under 'Verificatiecode verzenden' (Send verification code) are only useful after the code has received and filled in.
How to customize this part to create a better working workflow:
Add email address -> Send code -> Fill in code and verify --> Fill in additional user details.
Edit:
As recommended by Brad I dived into Identity Experience Framework. An 'intimidating' framework is a big understatement ;(
I watched these videos: https://www.youtube.com/playlist?list=PL4svy-vB4AaxRunWQkxOe8h3zP9jAzS5Z and followed the steps mentioned here:
https://github.com/azure-ad-b2c/azureadb2ccommunity.io/wiki/LocalAndSocialAccount-Sign-In-and-Sign-Up-policy
https://github.com/azure-ad-b2c/samples/tree/master/policies/split-email-verification-and-signup
I'm just at the point that I only want to mimic what I currently have using the 'normal' user flows:
Log-in using Email
Log-in using Facebook
Log-in using Google
The login screen looks the same, I have the email and password buttons and the Facebook and Google buttons, but when I log in with Google I get an error about grant-type not set.
And this is all without trying the split.xml.
I'm so lost in understanding AAD B2C. It should make live easier for developers but I find it very complicated, hard to modify and hard to get the profile data I need and to keep the data in sync.
In order to achieve this with User Flows, you must use the Custom User Interface features, and Javascript to control how and when those fields are displayed.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-and-page-layout?pivots=b2c-user-flow#enable-javascript
Optionally, you can conduct a similar flow using the Identity Experience Framework (Custom Policies) with either Javascript or where you use two different Self Asserted profiles to move from screen to screen.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-trust-frameworks
Taking the leap from User Flows to the Identity Experience Framework can be intimidating, but would give you the most control in your user experience.
I am using the AD B2C custom policies to achieve the Sign-in and Signup.
In the Signup page, I need to have a dependent controls functionality. Like, once I enter a value in a text box and focus out, a rest API call should be made to pull the information from the Database and need to display that information in the next controls in the read only mode.
For example,
If I enter a postal code, It should auto populate the city information
If I choose a city, It should auto populate the state and country details.
Please suggest a way to achieve this scenario.
You can use javascript with the custom policies for your requirement. Once the postal code is entered in the text filed you can call an REST API and generate a dynamic dropdown box with javascript to bind the city details based on the dropdown selection you can bind the required filed.
There is a sample similar to you requirement. Please refer this it will be helpful
I've been tasked with setting up our company's Azure B2C environment. I've made a lot of progress and have had to use Custom Policies, as the default User Flows don't give us enough flexibility.
One of the requested features is to have a section in the SignUpOrSignIn policy, so that when a user signs up for the first time, we want to validate their postal address through an address validation api provided by a third party.
The way the api works, is first you pass in the post code, eg: AA11 1AA. The response will include a list of all the available addresses for the provided post code. You then call the api a second time with the unique id of the selected address, and this time the response breaks the address details out into each of its parts, eg: Line 1, Line 2, Town, County, Post Code.
So far I have an input for the postcode in the UI. I need to take this value and pass it to the api.
I now want to be able to display the list of addresses to the user in a DropdownSingleSelect list. Is it possible to dynamically populate these, rather than hard coding into the xml file? I also need to hide this list until it is populated.
Then after displaying the list to the user, they will select their address. This will then need to submit a second call to the api with the unique id.
Then the response needs to be populated into each of the address fields which are hidden up to this point. I also need to prevent the button at the bottom of the page to create the user from being active until this sequence is complete.
Are these actions possible? Or are the requirements too complex for B2C? Any suggestions?
You can generate a dynamic dropdown box with javascript and some hidden fields rendered by B2C after getting the details from the REST API.
See this sample:
https://github.com/azure-ad-b2c/samples/tree/master/policies/selectemail
We have a problem where individual user are registered to our application but with permission to see a single set of data. These are all setup as local accounts.
At the moment each user is associated with a single set of data.
We now need to be able to link different sets of data to the same user.
After or during login the user would be presented with the options that are linked to their account and it would remember this throughout their session.
We would also need to be able to add new permissions to an account through an API.
What is the best way of achieving this through Azure B2C ideally without using custom policies if possible.
If you want to insert a page during the authentication journey (sign in) which reads the users access ability, and then allow the user to choose one of these options, and then issue that choice in the token, you will need a custom policy. I am assuming that this list could be different for each user ("options that are linked to their account").
If that list of options is stored on the user object, then it needs to be read from the user, and a dynamic radio box selection be presented to the user.
You need to create a comma delimited list and insert it into a claim, if its already stored as comma delimited, or some other delimited list, then you are already good to go. Otherwise youll need to have B2C send the data to a Rest api to build a comma delimited list.
That claim needs to be shown on the page after 'sign in' in a text box via B2C (hidden with CSS), where javascript on your custom HTML page (configured in B2C) builds a radio box from that list in the hidden text box.
Then the javascript needs to record the choice into another B2C rendered text box. You should then verify at B2C or via Rest api whether the submitted value was valid.
Then issue that value into the token.
I need some help with this sample:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom
I need to do the same but with signin policy, i need to validate the email with sql database and change a status column in database, and/or block access if the email is doesn't exist.
do you have some example for that?
Thanks
P.D: Excuse my english
The example you are pointing to is more useful for just retrieving additional claims for a user but not for validating the input. Since you are validating the email address, this example is more relevant:
Walkthrough: Integrate REST API claims exchanges in your Azure AD B2C user journey as validation on user input
This is what I would suggest:
Host your database behind a Rest API so it can be called to validate the email address
Create a technical profile using Web.TPEngine.Providers.RestfulProvider that calls into your Rest API (see the example I linked above)
Add a ValidationTechnicalProfile to the SelfAssertedAttributeProvider technical profile that collects the email so it will validate it and show an error if validation fails
By adding validation such as this, the user will be blocked with an error message and will have the opportunity to fix the input (e.g. typos) and try again. You can also get additional claims about that email address from the Rest API by adding them in the OutputClaims of both the technical profiles.
You will need to determine whether this is the right place to change the flag in the DB or if that ought to be a separate operation. The reason is that if the user goes to the next step in the user journey and then abandons it and comes back later, what would their experience be.
If you want it as a separate step later in the user journey, then you would create it using the example you provided (i.e. as a separate step after all the required steps have executed in the user journey).
The steps will be very similar except you will need to modify a different UserJourney and RelyingParty.
Update <UserJourney Id="SignUpOrSignIn"> as described in step 4.
Update SignUpOrSignin.xml as described in step 5.