I was testing AD B2C smart lockout feature following this link.
My current smart lockout settings:
The sign-ins log showed that the account I used for testing is successfully locked:
However, in my sign-in page that is using custom policy, the error is not showing my account being temporarily locked despite having Localized String in my TrustFrameworkExtensions.xml:
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfUserAccountLocked">#Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>
The error message in sign-in page is always The username or password provided in the request are invalid:
May I know what could be the direction for me to troubleshoot this/ common causes to this?
EDIT: From Chrome developer tools, the call is always returning the same The username or password provided in the request are invalid. response even if the lockout threshold is exceeded.
I had a similar issue with this exact message not appearing when a user is locked out. Except that I am not using any custom user policies, so the quick fix suggested by Jas was not relevant for me.
I found that I was able to get it working by enabling custom languages for the user flow, and overriding the default value for that error message:
{
"ElementType": "ErrorMessage",
"ElementId": null,
"StringId": "UserMessageIfUserAccountLocked",
"Override": true,
"Value": "Your account is temporarily locked to prevent unauthorized use. Try again later."
}
Related
I am trying to use Google as an identity provider in an ADB2C SignInSignUp userflow, consumed within a React Native app through a WebView.
When I am testing this I am hitting an error that I cannot seem to find the cause of. Upon signing up with google I receive the following response object:
{"canGoBack": true, "canGoForward": false, "loading": false, "target": 99, "title": "Loading...", "url": "https://TENANT.b2clogin.com/TENANT.onmicrosoft.com/oauth2/authresp?state=StateProperties%3DeyJTSUQiOiJ4LW1zLWNwaW0tcmM6NjIxMDMyYTYtZTVlZC00OTJkLTg1NmMtMTAzYzg3Mzc0YmE3IiwiVElEIjoiZDM5ZTgwY2MtNzJlNy00ZGE5LWJjODYtMGRjZGNlN2Q1MDZlIiwiVE9JRCI6IjRkOTkyMzhiLTBhOGEtNGU0Ny1hYTRkLTk5NTZiYTY3NmE5YyJ9&code=4%2F0AX4XfWhrpKK2DDX58pFTHkb_U2e8SvGnLrPvhI4grUn5ojA5R-q7q4KjcdS1tO4DYemuWQ&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=none#"}
Typically I would receive the fully formatted token back in this response, which I then use for server side validation. This works when signing up with Apple and as a B2C user when pressing 'Sign up now' on the userflow.
The token returned in this is not formatted correctly and doesn't follow 'code=' in the response url as I usually get when signing in or up through the other methods, and therefore throws an error of :'AADB2C90090: The provided JWE is not a valid 5 segment token.' when trying to parse what follows StateProperties.
Does anybody know why Google would not return a valid token in the same way that Apple/Microsoft do when signing up?
Any help would be greatly appreciated
Please check few workarounds:
Try to include client id in scope along with other scopes
2.Try mentionin Response_mode=form_post in auth request
In some cases its working with other versions , so try Msal version 4.32. see Issue · GitHub
According to sign-in with a Google account - Azure AD B2C | Microsoft Docs make sure to create app registered in google’s console
Also note from the same document and this blog:
References:
jwt - Azure AD B2C - Token validation does not work - Stack Overflow
Azure Active Directory B2C - Authorization code encoding issue
(microsoft.com)
This server '/' error pops up in my application if the user is signed in to another AAD account with a different domain, is there a way to make the azure website redirect back to the log in page so he/she can sign in to the proper user account instead of showing this error?
"OpenIdConnectMessage.Error was not null, indicating an error. Error: >'access_denied'. Error_Description (may be empty): 'XXXYYY00000: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'XXXX' and cannot access the application '00X1XXX0-XXXX-XXXX-XXXX-XXXXXXXXXXXX'(00000_website.azurewebsites_XXXX) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
Trace ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Correlation ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Timestamp: 2019-09-11 02:31:47Z'. Error_Uri (may be empty): 'https://login.microsoftonline.com/error?code=90072'."
So you are using single tenant to let only your tenant users to login, right? If you don't want to get this error message, you can detect the error in your code and redirect it to the login page directly.
However, I think this error page is needed, since we can know clearly why we can not login in. Then we can login with the correct account.
I am creating new users in Azure AD B2C using the graph client api. The json i send to the api looks like the following:
{
"creationType": "LocalAccount",
"passwordProfile": {
"password": "a:898;keJPpN/69X",
"forceChangePasswordNextLogin": true
},
"passwordPolicies": "DisablePasswordExpiration",
"objectId": null,
"accountEnabled": true,
"displayName": "John Doe",
"mailNickname": "john.doe",
"signInNames": [
{
"type": "emailAddress",
"value": "john.doe#provider.com"
}
]
}
The user is then created correctly. However, once I try to login with the newly created user using the flow "Sign in v2", I get the following error message: Invalid username or password.
Looking at the sign-in attempts, the failed attempt all failed with
Status: Interrupted
Sign-in error code: 50055
Failure reason: Invalid password, entered expired password.
Starting a "Password reset v2"-flow by clicking "Forgot your password?" does correctly trigger a password reset flow with email confirmation. After entering the sent confirmation code and setting a new password, the login works as expected.
If I set the "forceChangePasswordNextLogin" : false, the first login works as expected. However, in this case the user is not forced to change his one-time-password. So this is not really an option.
Also interesting: When using the flow "Sign in" (without v2), everything works as expected and the user is forced to change the password on the first login. However, as this flow does not support custom styling, this is also not an option.
What do I have to do to get the "Sign in v2" flow to correctly trigger a password change on the first login of a user?
Rather than setting passwordProfile.forceChangePasswordNextLogin to true, you can create a custom attribute (e.g. ForceResetPasswordNextLogin), set this to true when you create the local account, and then issue this as an application claim from the sign-in policy to your B2C application. After sign-in, if it is set to true, then your B2C application can initiate the password reset policy. After password reset, then your B2C application can set it to false.
You can otherwise consider a custom policy from the starter pack that includes a password change step.
There is now an option called Forced password reset in the user flow's properties:
As the hint message says, when this checkbox is ticked, users can log in with an expired password. Once they actually log in, users are forced to change their password.
If this checkbox is not ticked, the behavior is as described in Chri's answer.
Not an out of the box solution but there's this custom sample SingUpOrSigin policy which shows how to achieve this:
Azure AD B2C: Force password reset first logon
I try to build an invitation flow using custom policies.
My approach was to combine the invitation part of the WingTipGamesB2C policies with the custom policy starter pack.
The invitation seems to work fine; when using the invitation link and providing the user data (display name, password), the user is created in the Azure AD.
But I am not able to login with this user; the sign in dialog shows "Invalid username or password." (while with a wrong password "Your password is incorrect" is shown).
Using the builtin signin policy, the login works as expected.
b2crecorder shows the following log:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Using validation endpoint at: https://login.microsoftonline.com/foo.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(c693a69c-4a15-4ef5-b85d-a9a6a3f3298f) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
This looks like the same error as in this question, but should be a different problem, as the problem was the "forceChangePasswordNextLogin" flag in there, while the users that are created by the invitation should not have this flag.
I checked that the IdentityExperienceFramework and ProxyIdentityExperienceFramework apps are correctly created and permissions are granted. They are also referenced as documented in the TrustFrameworkExtensions.xml.
How can I fix this? What can I do to further debug this problem? I used both Application Insights and the b2crecorder without getting enough information about the failure.
Additional information:
* The custom signup does also not work
* Signing up/in via 3rd party IDP (Google) works
I just found out what my problem was; In the login-NonInteractive technical profile, I replaced the strange looking <Item Key="ProviderName">https://sts.windows.net/</Item> by some nice looking name, assuming that it was just some irrelevant string (e.g for the google IdP, I could use <Item Key="ProviderName">Google</Item> ...)
Well, it seems to be important. When restoring the original providername, signin works perfectly.
Just answering my own question here, as I hope this will save somebody else's time.
I have configured Azure AD B2C with custom policies but I am unable to authenticate with a new user created in the Azure portal. The user has a temporary password. Azure AD B2C returns the error text Invalid username or password, even though the username and password is correct.
I have confirmed that it is possible to login with the new user and temporary password in Azure AD B2C using non custom policies. After logging in, the user gets prompted to change their password.
The problem can be reproduced using the custom policies described in this guide:
Get started with custom policies.
Additional information:
I have configured the b2crecorder https://b2crecorder.azurewebsites.net/stream?id=<guid> in the UserJourneyRecorderEndpoint. Which gives access to more information through https://b2crecorder.azurewebsites.net/trace_102.html?id=<guid>
The problem result in the following logging:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Using validation endpoint at: https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(d56987e9-be2e-46fc-a7a4-23e317f8f174) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
The most common reason for this that Grant Permissions has not been executed.
On the "ProxyIdentityExperienceFramework application" -> after selecting the checkbox for Access IdentityExperienceFramework -> clicking on Select and hitting Done, you must also complete the next step:
Select Grant Permissions, and then confirm by selecting Yes.
Edit:
Sorry, after reading your situation carefully, both a "sign-up or sign-in policy" or "custom policy" do not support the Azure Active Directory forceChangePasswordNextLogin flag. (forceChangePasswordNextLogin will only work with a "sign-up policy") There is a feature request tracking this here.
Since this is the first SO article that pops up on this question, I'll add that another possibility to check when hitting this problem is, make sure the Proxy app type is Native, not Web.