So, I am pretty new to ADB2C Custom Policies but here is what I have:
I have a Custom Policy with a few Technical Profiles.
I have a Custom Page with a bit of JavaScript.
The technical profile calls a REST API for some additional validation. The validation API returns an error code to ADB2C. But what I would need to do now is to display a link in reaction to a specific error returned by my validation API.
What would be the correct way to get an error code from my Validation API through my Technical Profile to my Custom Page and then react to that error in my own JavaScript? I am pretty sure you should be able to do this but I can't find any official Microsoft Documentation on that particular step.
Depending on the error:
B2C service issue, static error issued to the app as described in the Error codes: Azure Active Directory B2C. Also applies to an unhandled error not originating from B2C service, E.G: REST API does not respond, an error is returned to the app.
REST API returns an error in Validation technical profile - Error is shown to the user within the B2C page.
You can:
1: Get error details from the query parameters appended to your app reply url. EG: https://localhost:44316/#error=server_error&error_description=AADB2C90075%3a+The+claims+exchange+%27REST-API-Endpoint%27+specified+in+step+%274%27+returned+HTTP+error+response+with+Code+%27BadRequest%27+and+Reason+%27Bad+Request%27.%0d%0aCorrelation+ID%3a+5b64bf9c-739b-4d1b-8bb2-d03f3fb7a811%0d%0aTimestamp%3a+2020-05-07+00%3a46%3a42Z%0d%0a
2:
Customize the api.error content definition and do some javascript handling there.
Prefered option (also applicable to 1) is make API always return 200 but with response content including a success (boolan) and error related properties so that you can redirect the user to a custom content screen using preconditions based on the claims output from the aformentioned response properties.
Related
We followed the example for magic links from here
https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-magic-link
We can generate the magic link, are redirected to our application with an "id_token" but we get error "message.state is null or empty".
We assume that we need to follow the instructions for production use in chapter "Using this in your Production Application" on the page above, but we don't understand how we can use the "authentication library" to generate the magic link for us as described. Maybe this library would append a "state" to our magic link which is then validated by B2C.
Is there any working sample code which works in production systems for magic links?
Update:
We use already a B2C policy "B2C_1A_signup_signin" (for local and social accounts) with callback path "/signin-oidc". Therefore we added with "services.AddMicrosoftIdentityWebAppAuthentication" another callback path for the magic link "/signin-oidc-magic" with a second policy "B2C_1A_signup_signin_magic".
We generate the magic link "manually" (like in the sample project) with "/signin-oidc-magic" as return url.
B2C redirects correctly to this callback path, and the OpenIdConnectEvents for the second callback path are raised, but in event OnRemoteFailure we get the error message "message.state" is null.
Should we merge both policies? Or is something wrong in our approach?
You need to pass the hint parameter to your app, and have your apps authentication library pass it in an authentication request to B2C.
JS: https://learn.microsoft.com/en-us/azure/active-directory-b2c/enable-authentication-spa-app-options#pass-an-id-token-hint
.Net: https://learn.microsoft.com/en-us/azure/active-directory-b2c/enable-authentication-web-application-options#pass-an-id-token-hint
I struggled with this myself for a while. The way I understand it now, is that in order for the magic link to redirect properly to your application after getting the token back from Ad B2C it should not be passed straight to the 'Run now' link for the custom policy but first to your application to extract the token and then passed to the OnRedirectToIdentityProviderFunc as in the documentation mentioned in the answer above. It think that does mean that you need to merge the claims extraction technical profile in to the same custom policy as the regular signin/signup flow and you can't have 2 separate custom policies but I would like to get more clarification on this myself as this use case is definitely not obvious from the samples. What good is it if they can only redirect to a jwt.ms but not an actual application.
I'm using the built-in azure b2c sign up user flow in my application. The signup form doesn't give the proper validation messages. It always gives one generic message and it's always located at the top. Is there any way to customize this message and put it below the input field, that failed the validation?
The following image shows one scenario where the password is week. but still, the error message has no indication about the password.
Please take a look at this: https://learn.microsoft.com/en-us/azure/active-directory-b2c/localization#predicate using predicates to define the error message displayed to a user.
I am using custom policies to enable mobile number authentication in my mobile app.
I have used custom UI files to manage the UI of the policies using blob storage as given in the following link:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-ui-customization-custom
Now i want to give support to Chinese language for sign in, sign up and password reset policy. for that i am following Microsoft document :
https://learn.microsoft.com/bs-latn-ba/azure/active-directory-b2c/localization#set-up-localization
along with some reference document i found on git:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Migration-JIT-sample/B2C_1A_Demo_Base.xml
FYI,
I have used this MS link to get started with custom policies:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
but i wanted mobile authentication instead of email so i made changes as given in this stackoverflow link:
Can Azure-AD B2C use a mobile telephone number as a username?
i am following the exact steps given in the document but when i run the policy it gives me the error as :
One of the request inputs is out of range.
after following the steps it generates url like this:
https://smarthomestgdev.blob.core.windows.net/en/b2cpagelayout/signup.html
the url is correct but it does not render any sign up page and gives blank page.
Can anyone help me solving the issue?
We have a working user journey scenario (roundtrip), where user signs up/signs in, gets objectId, and at the end, we call a REST service sending the objectId to receive a custom attribute (uniqueidentifier from an on-premise service) to add it as a custom attribute (extension) in Azure AD.
As said this works fairly well, but we would like to react to errors, when the REST service calls fails (e.g. server is down). Now the user shows up in AD, but it is missing the unique identifier as custom attribute.
Is there a way we can react to errors in the execution of a Technical Profile?
For Example, make another REST call, where we can handle this Error? As per default the user now gets to see a standard error page.
Thx
I am trying out the Azure AD-B2C. The user signup/sign in is fine when the MFA is turned off. But when I turn it on, and the user tries to sign in and provides the phone number, and requests a text message by clicking "send code", I get the Http 400 error: size of request headers is too long. Anybody else have this issue?
The error HTTP 400: Size of header request is too long generally happens because there's too many cookies.
Azure AD B2C's login goes through login.microsoftonline.com, as does almost every Microsoft service (O365, Azure, etc). So if you've got several accounts that you've signed in to across these services, you're accumulating cookies that will cause this problem.
Clearing the cookies should resolve this problem. If this is happening on a recurring basis, you should edit your question to include details about the request and cookies in order to best figure out what's bloating the request and how to reduce it.
Short answer: The file with the custom UI was not found by Microsoft login service. After getting shipped around it resulted in the error.
I had the same error with AAD B2C but "cookies" was not the problem. In my case I got the error while testing in the Azure B2C portal checking the policies and the custom UI pages. We use Azure Blob storage to hold custom login setup, its fast and it scales without our attention. The problem was found by using my test website using the B2C service. I put a stop/break on the Account controller's "public Task OnRemoteFailure(RemoteFailureContext context)" method. The debugger message gave me the full context of the error, an http 404 error and it gave the file name it was trying to find. Blob storage is case sensitive. The setup configuration used to configure B2C has camelCase names. The group who created the actual UI customization uses all lower case names. It took someone with access to all the assets to find the simple case name issue. Errors in distributed systems can be difficult.