I have setup azure b2c custom policy for inivation flow, using this sample https://github.com/mrochon/b2csamples, it's working fine, but when the inivation link gets expired, and user opens that it shows error page with
"AADB2C90017: The client assertion provided in the request is invalid: 'client_secret' was used as the verification key"
I want to change the error message so user can know that link is expired.
You can Set a custom error page UI and Use CSS to hide the default error message.
Using JavaScript parse the default error message when it contains "AADB2C90017", then show a custom error message.
There are some samples which explains how to enable java script
Related
I have created a custom policy to use the Authenticator App from the following example code:
https://github.com/azure-ad-b2c/samples/blob/master/policies/totp/policy/TrustFrameworkExtensions_TOTP.xml
The issue I am having is that it will sign up a new user, but when it is supposed to redirect to the page to show the QR code, it fails with the following error shown in AI.
Exception Message:A Claim of ClaimType with id "totpIdentifier" was not found, which is required by the ClaimsTransformationImpl of
Type "Microsoft.Cpim.Data.Transformations.FormatStringMultipleClaimsTransformation" for TransformationMethod "FormatStringMultipleClaims"
referenced by the ClaimsTransformation with id "CreateUriLabel" in policy xyz
The user is created correctly, as the next login will show the QR code and after going through the process, will give me my token.
I do understand the error, but I do not know how to fix it.My guess is that the sequence of events is not correct, but "CreateUriLabel" should be called after "TotpFactor-Input" where "totpIdentifier" gets set.
Has someone got an idea on what to look at?
just for completion, it ended up being a branding file that was causing the issue.
I have a bare-bones website (single page app) that tries to log in the user with AAD using the msal JavaScript library. It is practically just doing what the example AAD login code does:
It creates a UserAgentApplication with my app's client ID and the authority URL for my tenant
It calls handleRedirectCallback and loginRedirect
It tries to get either the accessToken or the errorCode/errorMessage from the redirect response
Under practically all circumstances this works fine. Users visit my page, they get redirected and login just fine. One particular user, however, after the redirect and attempt to login gets this error:
Login failed: invalid_client - AADSTS650051: The parameter 'dynamicPermissions' in the request payload is not a valid parameter for the function import 'consentToApp'.
Trace Id: ed33266a-26ac-4706-9018-e6e89f650100
Correlation Id: e3103cab-1a7f-4a99-8455-fd8c8a769e35
Timestamp: 2019-06-25 20:50:44Z
He has tried this in many different browser (Edge/Chrome) and always gets this error, even in InPrivate/Incognito mode. No other user ever runs into error that I've found.
I'm not sure how to debug the issue because in my code I don't ever specify a 'dynamicPermissons' property or reference a function named 'consentToApp.'
How can I troubleshoot what is causing this error for this one user?
Thanks!
Ultimately this turned out to be a bug in the AAD service that was fixed by Microsoft.
When trying to login using Facebook, I get the following error message:
FacebookTokenError: Error validating verification code.
Please make sure your redirect_uri is identical to the one you used in the
OAuth dialog request
The url in the OAuth dialog request is:
https://www.facebook.com/v3.2/dialog/oauth?response_type=code&redirect_uri=https%3A%2F%2Furl.com%2Fauth%2Ffacebook%2Fcallback&scope=email%2Cpublic_profile&client_id=<id here>
In the Facebook Login settings of the app I've added every variation of the url I could think of:
https://url.com/auth/facebook/callback
https://url.com/auth/facebook/callback/
https://url.com/auth/facebook/callback?code=
https://url.com/auth/facebook/callback?scope=email,public_profile&client_id=<id here?
What URL am I supposed to add?
I set up my Actions on Google project with account linking enabled and the Implicit flow, it's working fine. However, when I try to select "Add quick account linking", after I save and click "Test Draft", it goes to the simulator page with an error message "Failed to enable simulator".
The error happens whether I select "Account creation", "Auto Google Sign-in" or both. I've filled the fields "GSI Client ID", "Token URL" and "Learn More URL" with proper values.
I can see under the hood that a POST query is made to https://console.actions.google.com/u/0/m/actions/agents/draft/createlocalizeduserpreview and returns a 500 error with "status":13. When I unselect "Add quick account linking", the same query succeeds and no error is displayed.
Did anyone get this to work?
Did you follow the steps to extend the Implicit flow and add a new endpoint that would handle the assertion request based on a JWT? This needs to be a new endpoint, and is similar to what you needed to do if you were implementing the Auth Code flow.
If so, verify that this endpoint is being called, that you're parsing the JWT correctly, and that you're returning either an auth code or a valid redirect to have the user sign-in.
I try to build an invitation flow using custom policies.
My approach was to combine the invitation part of the WingTipGamesB2C policies with the custom policy starter pack.
The invitation seems to work fine; when using the invitation link and providing the user data (display name, password), the user is created in the Azure AD.
But I am not able to login with this user; the sign in dialog shows "Invalid username or password." (while with a wrong password "Your password is incorrect" is shown).
Using the builtin signin policy, the login works as expected.
b2crecorder shows the following log:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Using validation endpoint at: https://login.microsoftonline.com/foo.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(c693a69c-4a15-4ef5-b85d-a9a6a3f3298f) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
This looks like the same error as in this question, but should be a different problem, as the problem was the "forceChangePasswordNextLogin" flag in there, while the users that are created by the invitation should not have this flag.
I checked that the IdentityExperienceFramework and ProxyIdentityExperienceFramework apps are correctly created and permissions are granted. They are also referenced as documented in the TrustFrameworkExtensions.xml.
How can I fix this? What can I do to further debug this problem? I used both Application Insights and the b2crecorder without getting enough information about the failure.
Additional information:
* The custom signup does also not work
* Signing up/in via 3rd party IDP (Google) works
I just found out what my problem was; In the login-NonInteractive technical profile, I replaced the strange looking <Item Key="ProviderName">https://sts.windows.net/</Item> by some nice looking name, assuming that it was just some irrelevant string (e.g for the google IdP, I could use <Item Key="ProviderName">Google</Item> ...)
Well, it seems to be important. When restoring the original providername, signin works perfectly.
Just answering my own question here, as I hope this will save somebody else's time.