ADB2C now allow us to use javascript within built-in policies.
But this is still a preview feature (since several months). Is it safe to use it or not ? We clearly need now to move on the new b2clogin.com domain and we would have taken the opportunity to also implement javascript.
Pubic previews are not suggested for production environment because, the behavior will change during preview and we can't confirm the GA date.
Related
I need users to enter a date when signing-up or editing their profile in Azure AD B2C. Is there any way to do this without using Custom Policies?
I see two options:
Use a string extension attribute with a text input. But you cannot do client-side validation...
Use 3x string extension attributes (day, month, year) with 3x single-select drop-down inputs. I think this is the way I will need to do it.
Is there a simpler way? Am I missing something?
Why not use Custom Policies? This is the only functionality I am missing using the built-in policies, so it seems like overkill to introduce the additional complexity of getting everything working with Custom Policies, just to get a valid date. Plus Custom Policies are in preview at the time of asking, so are subject to change etc.
Many thanks!
I opened a question on the MSDN forums to see if I could get an answer there.
To sum it up, you need to use Custom Policies.
My concern regarding using features in Public Preview was addressed like so:
We recommend built-in policies for most scenario's. However, for specific requirement (scenario) built-in policies may not fetch you the actual results. In that situation, you have to use custom policies. Yes, you're right, Microsoft does not recommend using preview features in production environment. It is good to be cautious and follow the recommendations.
I have custom policies for sign up, sign in and reset password. All with custom ui.
I want to have different CSS styles and show different elements for different webs that use the sign up policy. Should I create different sign up policies with different custom UIs to accomplish this?
Also, I want to change the position of the UI fragments embedded by Azure B2C. Is css the only way to change this?
If you are using base b2c policies, then the only way is to create multiple sign-up/in policies. But please keep in mind that there's a limit to number of policies you can have in your b2c tenant (currently 100 policies). So if you want to do that also for reset password or any other user journey you will hit that really fast.
So... looking at the tags I can see Identity Experiance Framework, in that case you can use sample provided by MS - active-directory-b2c-ui-customization-custom-dynamic and change your UI based on the additional query parameter that is being sent to policy.
As for moving embedded elements inside your <div id="api"></div> CSS is the standard way. But you can look at the b2clogin.com program that is currently in public preview but it is not recommended to be used for any production use.
I want to release my application in play store and app store.
But, That store require PrivacyPolicyUrI But I don't use signup system
And most application has terms of policy in their signup view
it is essential?
So...
PrivacyPolicy is required for non-signup application, too?
Terms of policy is required even if I'm just developer not company?
Yes, a Privacy Policy is required even for apps that do not require sign-up. However, a sign-up screen is good as you can use the clickwrap method of getting active constent from users to accept your Privacy Policy.
The requirement of a Privacy Policy is due to sensitive permissions you app may ask.
You can find the list of those permissions here: https://play.google.com/about/privacy-security/personal-sensitive/
Even if you don’t need and ask those permissions, make sure you know what third parties you use in the app that might trigger this requirement (eg. AdMob).
You’ll need to add the URL to the Privacy Policy URL at Store Listing section. The link must be publicly accessible. Google will not host it for you.
A Terms of Service is not required, but it’s useful to add rules regarding user-generated content, unacceptable behaviour and so on. For example, it’s useful to add intellectual property clauses, ownership over your content and licenses over user-generated content clauses.
Can we add javascript inside custom policies and can we use button click function to redirect to another page?
I have referred the following links when implementing custom policies.
JavaScript is now supported for custom policies. Here is the official documentation:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-samples
NB: it seems you need to use the b2clogin.com domain (not login.microsoftonline.com). I cannot find this documented at the moment, but a quick test shows that JavaScript is stripped out on login.microsoftonline.com. Here is the documentation for using b2clogin.com: https://learn.microsoft.com/en-us/azure/active-directory-b2c/b2clogin.
JavaScript is currently not supported in custom UI. See the note under Create your HTML5 content.
Custom JavaScript is not currently supported in Azure AD B2C. We are working to enable that feature - please vote for the feature here so that you can get an update when the preview is available.
Yes, you can use JavaScript in custom policies. See this sample: active-directory-b2c-advanced-policies.
PlayerProfileUpdate.html
<script src="https://wingtipb2ctmpls.blob.core.windows.net/wingtiptoys/js/analytics.js" />
<script src="https://wingtipb2ctmpls.blob.core.windows.net/wingtiptoys/js/selfasserted-playerprofileupdate.js"></script>
I don't know for sure about the button click redirect. On the surface, if you can use JavaScript then you should be able to do this.
I'm working on applying a custom company security policy in my company's application.
I use the AdalJs library and I see that even if I apply the my Azure policy to the AD application, because of the silent renewing tokens, I'm not able to comply with the policy requirements.
Is there a parameter to set in AdalJs library to disable the Renewing Tokens?
If not, I'll be forced to modify the library, but it is not what I'd like to do.
Thank u in advance.
OaicStef
No, there is no such parameter we can disable token renewing. If you have a common scenario require this feature, I suggest that you submit the feedback from here.
And if it is not a common scenario, you may need to modify the source code. For example, you can modify the acquireToken function to remove the relative code about _renewToken and modify it based on your special requirement.