I am testing the custom b2c policy sign-in-with-authenticator from github (link below). The one issue i have is getting desktop authenticators to work because they cannot read the QR code. I have tried to somehow display the secret returned from the service but i can't seem to get it to the page like the QR Code bitmap itself. How can i show the secret for users that are logging in with a desktop authenticator?
Sign in with authenticator Sample
I did find a way to do this. In the API that the policy calls, create a new claim on the InputClaims object, send the secret as base 32 encoded string in the new field. In the TrustFrameworkExtensions policy, add a new claim to hold it, in the technical profile for authenticator registration, add that claim as an input and output claim, add the required attribute to the input claim. Now the claim will show on the page in a hidden text field that you can use to populate a link for the secret that can be entered into desktop auth apps.
Related
I have a web application that uses Azure AD B2C, with custom policies, for security. When I look at the user accounts in the Azure AD B2C portal, I can see an editable Employee Id field. This field would be very handy to store an internal company employee Id, but I would like to include this field as an output claim in the auth token.
I've read the various documentation about the user profile attributes that are available through the portal, etc (https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes), but EmployeeId is not listed there.
Based on the documentation, I'm assuming EmployeeId is not available to custom policies, but I thought I would ask the question, anyway, to see if anyone has worked out a way to include the property as an output claim in the JWT auth token?
• Yes, you can surely include the ‘employeeId’ attribute claim in the Azure AD B2C custom policy as below to be included as an output claim in the authentication token. For that purpose, you will have to define the employee Id as a claim with the proper ‘DisplayName, DataType, UserHelpText, UserInputType’ wherein you will have to modify the ‘TrustFrameworkExtensions.xml’ as below: -
Then, add the claim to the user interface in the local account signup technical profile as below since you want the ‘employeeId’ attribute to be included as a field in the output claim under ‘LocalAccountSignupwithLogonEmail’: -
Once done, then use the ‘PersistedClaims’ to write data to the user profile and ‘OutputClaims’ to read data from the user profile within the respective Active Directory technical profiles as above. Then, include a claim in the token in the ‘SignuporSignin.xml’ file and that output claim will be added in the token after a successful user journey and then modify the technical profile element within the relying party section to add the ‘employeeId’ as an output claim as below: -
Once the above things are done, then you surely can upload the custom policy and test it through your web app for the ‘employeeID’ attribute.
For more information regarding this, kindly refer to the below links for more information: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-user-input?pivots=b2c-custom-policy
Custom policies Azure AD B2C issue with read the value Employee ID of user of Azure AD
To solve this, I ended up adding a REST API call, in the custom policy, that extracted EmployeeId via Graph API. Great suggestion by #juunas.
This works well, although it would be good if EmployeeId could be exposed as a claim without the REST call as I feel this adds a point of failure to the whole Sign Up/Sign In flow.
But it works.
I have a B2C tenant setup using the oob sign-up/sign-in user flow working fine. I have also implemented a custom policy to allow the user to change their password when they are already signed in to our application according to this article.
When testing, if I directly navigate to the custom policy endpoint, it first prompts me to sign-in and then takes me to the password change form which works fine. However, in our case since the user is already signed in to our application, we would like to bypass the sign-in form and take the user directly to the password change form. According to this article I can remove the prompt=login in the url and it should bypass the sign-in form if the user is already signed in.
To test this, I first login to my app using the signup/signin user flow and then invoke the custom policy url in the same browser tab session without the prompt=login. It does take me directly to the password change form, however, I get the following error when I try to change the password:
Invalid username or password
I have confirmed that I am entering the correct current password. How can I troubleshoot this and where might the issue be?
Thanks,
Param
This is typical of incorrect setup of custom policies.
Delete the two app registrations: ProxyIEF and IEF apps.
Run the tool to set it up for you: https://aka.ms/iefsetup.
Test sign in works with the custom policy.
Then follow the document you linked again to setup the password change flow. You can download the polices back from the Portal to work with.
We have a B2C setup using custom policies that authenticates against Apple Id as an external identity provider. This all works, and we are able to get the email claim. However, the first name/last name fields from Apple are not made available in the JWT token and therefore are not in B2C as claims.
They are, however, presented to B2C as a posted form parm called 'user' during the first-time authentication. This is obviously a non-standard way of using the OpenId Connect protocol.
Does B2C have a way of extracting form posted fields (or is it on the roadmap)? I see it is possible to get query string parms via a claims provider when using the OAuth protocol, but I don't see the same for OpenId and posted form parms.
The OpenID Connect technical profile maps claims from the ID token which means that additional authorization response parameters can't be referenced.
Are in B2C Custom Policies a way to validate claims comparing them?
Lets say we need to validate the user postal code to reset a password, can we do:
insertedPostalCode == actualPostalCode ( compare two claims ).
Of course, this is after reading the user from B2C using a email, or some other signin name.
You can absolutely do this.
I'm going to assume you're using B2C custom policies.
Use a claims transformation, either the AssertStringClaimsAreEqual, or the CompareClaims, in a technical profile that can be added as a validation step in the self asserted page you are using to collect this postal code from the user.
Here are the Microsoft docs that should point you in the right direction.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/string-transformations#assertstringclaimsareequal
https://learn.microsoft.com/en-us/azure/active-directory-b2c/string-transformations#compareclaims
I have a multiple applications that use the same custom policy to authenticate user. In TrustFrameworkExtensions I defined two claims provider, one for local account and one for user of my company AD tenant (social account) , I have also a claims provider for retrieve custom attributes and for check if the user is enabled for the caller application, this claims provider is configured in user jorney like a orchestration step before the JWT token is created.
The API Application return claims with custom attributes if the user is enabled and return a response with HttpStatusCode.Conflict and error message if not.
How can show the error message in the login form before it back to the calling application?
PS: I have a custom UI login form
UPDATE
I found a right technical profile "SelfAsserted-LocalAccountSignin" and now works ! But I have 2 more questions.
1. In my api application, in input claims, extension property are missing , I think it's because the user not logged yet, is it possible obtain all claims ? If this isn't possibile I must read data in my api with Graph
by signinName.
2. My login form allows authentication as a local user and as a user of my company AD tenant (social account).
The ValidationTechnicalProfiles in "SelfAsserted-LocalAccountSignin"
works with local user only, I tried to configure a ValidationTechnicalProfiles for "SM-SocialLogin" TechnicalProfile but doesn't work