My B2C policies are used by a mobile application and having long refresh token expiry date. My requirement is, how we can update the privacy policy and user should accept it to continue using the mobile app without him having to log out and login again.
We can fore users to check a box to accept the "terms of use" when the user signs up or sign in. But if the user already signed in, he must login again to trigger the check.
Here is an sample regaring sign up and sign in with 'Terms of Use' prompt.
Related
We created Sign Up and Sign In userflow for our B2C application to authenticate users.
Everything is working fine. But I want to categorize signed in users and signed up users.
I checked the logs but there is no much difference. How to identify who are new users and who are existing users?
PS: Userflow is Sign Up and Sign In with username
EDIT: I am unable to get new flag in token claims even after adding application claim
There is a User is new (newUser) claim available within the Sign-up or sign-in policy that you can enable:
This will add the "newUser" flag to your token and it is true when the user sign up for the first time.
Azure B2C User Flow SignUp/SignIn with Email/Number.
Requirements:
SignUp with Email/Phone:
while signing up when user click for registration its shows already email/phone number exist but we are looking when user have already have email then it automatically move to login flow.
SignIn with Email/Phone:
while user click on the signin if user not exist then it automatically navigate to the signup page so user dont need to manuly go for signup
Forget Password with Email/Phone:
With the Email/Phone number signin/signup flow there is missing the reset password policy to change password and there is only showing the change phone number option.we need to reset the user password
There is missing the Cenel icon on the phone number signup flow.
I did reproduce your scenario and found that there is currently no prebuild option or system in user flow of Azure AD B2C that when user try to sign and if it has not already signup will redirect to signup page and vice versa.
Azure AD B2C offers various sign-up and sign-in options for users of your applications:
I did Configure my Azure AD B2C local accounts to allow sign-up and sign-in with using email address. There are also other ways with username, phone number, or a combination of methods.
For Forget Password with Email/Phone enable the self-server password under the properties of your created user flow.
Please follow this GIF for apply for Forget Password with email and attribute which I have set for my userflow.
I have shown the demo how my user flow is working please check this GIF as well.
I have redirected my webapp to https://vikashgaurav.com/portfolio/ after successful signing.
Reference : https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-sign-up-and-sign-in-policy?pivots=b2c-user-flow
My scenario is a public website, with authenticated access that is managed by AzureAdB2C, and the authentication is not embedded but on a subdomain style. In the authentication form I see that there's the option for password reset (for someone who forgets it) but my question is when the user is already authenticated and so outside Azure context, how can he ask for a password change?
Is there any endpoint or so (that would receive the email linked to the account)?
Thank you
Still not clear because you mention "fire the change/reset password flow?". Which is it or is it both?
If reset, you can use a custom policy. Just put the link to the policy on your page.
There are a number of password reset flows that may be of interest.
For change password, see here. Again, just put the policy link on the page.
Unsure if you would have to login again.
You can Configure password change using custom policies in Azure Active Directory B2C.
In Azure Active Directory B2C (Azure AD B2C), you can enable users who are signed in with a local account to change their password without having to prove their identity through email verification. The password change flow involves following steps:
The user signs in to their local account. If the session is still active, Azure AD B2C authorizes the user and skips to the next step.
The user verifies the Old password, and then creates and confirms the New password.
If the question is to reset the password because the user forgot it but is still logged in, I can imagine logging out the user and redirecting them to the login page where they can choose the reset password option.
EDIT:
The Azure AD B2C article Set up self-service password reset for your customers states that
This article applies to self-service password reset used in the context of the standard Sign in user flow, which uses Local Account SignIn as the identity provider. If you need fully customizable password reset user flows invoked from your app, see this article.
Somehow resetting your password with a password reset flow / custom policy while you're logged in and don't 'need' your current password feels weird.
We have a scenario where a logged-in user (SFA, authentication has been done by Azure policies) needs to do some high-value transactions.
To allow this, we need to throw an additional authentication challenge. (MFA)
If the user access was successful we need to enrich the token somehow to read in on the client-side.
Tried to use scopes for this scenario but as they set per application couldn't make it happen, any thoughts on how it can be implemented in Azure b2c?
Thanks
The usual approach is for the application to look at the "acr" claim. This claim tells the app which B2C Auth policy the user has last arrived with. Therefore, in your app implement this logic:
User clicks high risk item
App checks current token "acr" claim
If acr != "B2C_1_MFA", then redirect the user to authenticate via a sign in/up policy that has MFA enabled
You need to create a sign in/up policy with MFA enabled and the above logic to get this to work. The App only needs to know about the policy name to know if the authentication challenges have been satisfied.
If the user has already logged in when this B2C policy is executed, the built in Single Sign On will skip the user having to enter their credentials again, and instead will just need to complete the MFA step.
I’ve implemented the password change custom policy according to the documentation and use msal.js on the frontend to start the password change flow. This works accept that the user needs to sign in again although the user is already signed in to the application. So it asks the user credentials every time. Why isn’t B2C detecting that the user has already signed in and how can I solve this?
Thanks!
MSAL.js is setting the prompt parameter, therefore, forcing B2C to ignore the cookie, therefore, forcing the sign-in.
const urlNavigate = authenticationRequest.createNavigateUrl(scopes) + "&prompt=select_account" + "&response_mode=fragment";
Source
You can verify this by taking the URL MSAL.js redirects the user to and removing the prompt query parameter.
Related GitHub Issue: Allow Controlling the prompt parameter. We need to convince the MSAL library owners we need control over this parameter.
If you are trying to test through the B2C Custom Policies "Run now" endpoint, just remove the &prompt=login query parameter from the link. If you are already logged in it will skip the login, if you are not, it will still prompt for your credentials.
Credit to Jas Suri: Azure B2C EditProfile custom policy without Signing In first