I have tried to make Azure B2C authentication by using following link https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows and Sign In page is working fine but i am unable to redirect to reset password page when clicking "Forgot Password?" option from Sign In page.
A sign-up or sign-in user flow with local accounts includes a Forgot password? link on the first page of the experience. Clicking this link doesn't automatically trigger a password reset user flow.
Your application needs to handle this error code by running a specific user flow that resets the password. To see an example, take a look at a simple ASP.NET sample that demonstrates the linking of user flows.
Related
I have a B2C tenant setup using the oob sign-up/sign-in user flow working fine. I have also implemented a custom policy to allow the user to change their password when they are already signed in to our application according to this article.
When testing, if I directly navigate to the custom policy endpoint, it first prompts me to sign-in and then takes me to the password change form which works fine. However, in our case since the user is already signed in to our application, we would like to bypass the sign-in form and take the user directly to the password change form. According to this article I can remove the prompt=login in the url and it should bypass the sign-in form if the user is already signed in.
To test this, I first login to my app using the signup/signin user flow and then invoke the custom policy url in the same browser tab session without the prompt=login. It does take me directly to the password change form, however, I get the following error when I try to change the password:
Invalid username or password
I have confirmed that I am entering the correct current password. How can I troubleshoot this and where might the issue be?
Thanks,
Param
This is typical of incorrect setup of custom policies.
Delete the two app registrations: ProxyIEF and IEF apps.
Run the tool to set it up for you: https://aka.ms/iefsetup.
Test sign in works with the custom policy.
Then follow the document you linked again to setup the password change flow. You can download the polices back from the Portal to work with.
We have an application that utilizes AzureB2C. The application also has links to partner websites that signs in a user via OIDC. We have the following scenario:
User goes to the website and the website redirects to AzureB2C Sign in page.
The user chooses to Reset his password and goes through the reset password flow. After the user resets his password, he is automatically signed in to our application
The user then clicks a link that should allow him to SSO in via OIDC
Instead of being automatically signed in, the Azure B2C "Reset Password" page is displayed to the user.
As a workaround, the user has to logout and log back in again to be automatically SSO'd in to the partner site.
How do we fix this so that OIDC does not send the user to the Reset Password page?
There was a bug in the setup for the “recommended” password reset flow.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy#self-service-password-reset-recommended
In the ForgotPassword technical profile, set UseTechnicalProfileForSessionManagement to SM-Noop.
We have been implementing Azure AD B2C into our customer portal website to handle the authentication of customers.
Recently, during some testing, I've noticed that we have been getting MFA requests in the Reset Password, which is fine other than the fact that you need to verify your email twice, it's just annoying.
However, I noticed that in a different User Flow, this didn't happen.
All the settings on the User Flows were exactly the same, except that one uses custom pages layouts, and the other uses the default layout.
The User flow with custom layouts are requesting MFA when resetting the password, so the steps in this flow are:
Click on forgot password link
Verify your email
Multifactor Authentication step (verify your email, again)
Change your password.
Whereas in the User Flow with no custom layouts the steps are the same but there is no step 3. So it goes like:
Click on forgot password link
Verify your email
Change your password
I have no idea why this is. All the settings are the same. The website is the same, the IP is the same, the account is the same. The ONLY difference is that one has custom pages and the other does not.
We want the customers to have a good experience through the reset password, and asking to verify the email 2 times when they are the same step is not the best experience.
Anything we could do to stop this or have it act differently?
When it comes to verify your email twice the default behavior for Password Reset flow is that you need to put you email and get the code sent to your email and once the code is entered, you would be asked to enter the new password and confirm new password. But if you enable MFA for your SignUp-SignIn policy, and then try to reset the password, you would first go by the default flow for SSPR, enter your email address and get the code sent to your email and second, once you enter the code the next page is the MFA page, that would bring up the MFA method that is selected in the SignUp-SignIn Policy
As suggested by #junnas please check and try disabling the MFA enforcement on Password reset user flow in your Azure AD B2C directory.
Azure B2C User Flow SignUp/SignIn with Email/Number.
Requirements:
SignUp with Email/Phone:
while signing up when user click for registration its shows already email/phone number exist but we are looking when user have already have email then it automatically move to login flow.
SignIn with Email/Phone:
while user click on the signin if user not exist then it automatically navigate to the signup page so user dont need to manuly go for signup
Forget Password with Email/Phone:
With the Email/Phone number signin/signup flow there is missing the reset password policy to change password and there is only showing the change phone number option.we need to reset the user password
There is missing the Cenel icon on the phone number signup flow.
I did reproduce your scenario and found that there is currently no prebuild option or system in user flow of Azure AD B2C that when user try to sign and if it has not already signup will redirect to signup page and vice versa.
Azure AD B2C offers various sign-up and sign-in options for users of your applications:
I did Configure my Azure AD B2C local accounts to allow sign-up and sign-in with using email address. There are also other ways with username, phone number, or a combination of methods.
For Forget Password with Email/Phone enable the self-server password under the properties of your created user flow.
Please follow this GIF for apply for Forget Password with email and attribute which I have set for my userflow.
I have shown the demo how my user flow is working please check this GIF as well.
I have redirected my webapp to https://vikashgaurav.com/portfolio/ after successful signing.
Reference : https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-sign-up-and-sign-in-policy?pivots=b2c-user-flow
We have a Custom Policy that is based on the SocialAndLocalAccounts starter pack.
We have been adding support from Home Realm Discovery based on this sample HomeRealmDiscovery-Modern to redirect users using third-party-providers to their correct sign-in page (IdP)
We have also added support for Domain Hints to entirely skip our sign-in page for users that sign-in via a third-party identity provider.
The policy makes use of the new released Self-Served Password Reset as per official docs.
What's the issue?
When the user goes through the "Self-Served Password Reset", the B2C session is left in a corrupted state. If the user is redirected back to B2C, the session is not picked up.
How can we say that? What is the use case?
Steps to reproduce:
1: User goes to the application which redirects the user to the B2C Sign-In page.
2: User enters local account email (Gmail) and on the next Screen clicks on "Forgot your password" link which is implemented using the Self-Served Password Reset.
3: User goes correctly through the password reset flow, and ultimately enters the "MFA" factor (SMS code).
4: User correctly gets redirected to the Application with an ID token, successful login.
6: User clicks a link to a new/different application using the same custom policy.
7: The new application redirects the user to B2C (same custom policy)
Expected Result: The user should have a valid B2C Session and should not be prompted to sign-in again, but instead redirected to the callback of the new application with a valid id-token.
Actual Result: The user is sent back to the new application with an error message in the callback URL, and because of the error redirected back to B2C to re-login.
Error Message:
AADB2C90051: No suitable claims providers were found.
Correlation ID: c014004a-d2da-4000-83e5-6d648f9acccc
Timestamp: 2021-06-16 07:17:16Z
IMPORTANT: If the user goes through the normal sign-in flow (no password reset), everything works correctly. The user can switch between different applications and B2C picks-up the session correctly, without throwing errors or prompting a new sign-in. SSO among the different apps works as intended.
Here is the full TrustFrameworkExtention file which contains all the logic and extends from the Base file of the starter pack:
TrustFrameworkExtention.xml
Try this:
In CreateidentityProvidersCollectionLogic change SM-Noop to SM-DOMAIN.
In SM-DOMAIN add:
<PersistedClaim ClaimTypeReferenceId="identityProviders" />