How to: Restart Azure AD B2C UserJourney when user cancels signup - azure-ad-b2c

I've setup a custom policy in B2C that combines all 3 main operations: sign in, sign up and reset password. The sign up and reset password pages both support a CANCEL button, which ends the user journey and returns an AAD error code.
[Update] For clarification, the policy starts with asking for login credentials. It also offers "Forgot password" and a "Sign up" link. Both are linked to further orchestration steps to show the relevant screen. Its those that have the CANCEL. And when pressed, I want to go back to the first screen that asks for the credentials.
Is there a way to express within the UserJourney that when a CANCEL occurs, it should go back to OrchestrationStep = 1?

I think the only control available is to skip an orchestration step in a policy. Based on AAD error code. You have two options
Catch the error code generated out of cancellation and redirect to policy again.
Hide B2C's cancellation button, using javascript. Implement a button yourself which will mimic back button behavior.

As #Abhishek Agrawal mentioned, there is no native way (i.e. - an xml policy configuration parameter you can set) to add a restart-flow/login button to the signup page.
If your main aim is to just navigate from '/signup' baack to '/signin', I would recommend adding the following html to your template, which you can then style to your liking:
(Note the call to `history.back()` on the anchor tag)
<body>
<div class="container unified_container">
<div class="row">
<div class="col-lg-6">
<div class="panel panel-default">
<div class="panel-body">
<div id="api"></div>
<div id="signinContainer">
<p>
Already Registered?
<a
id="signinLink"
type="submit"
aria-disabled="false"
aria-label="To Sign in screen"
href="javascript:history.back()"
>Log in</a
>
</p>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
Alternatively, if you know that you will want to go back a specific number of times (for example, back 3 pages), you can use the following instead of the history.back() we saw above:
history.go(-3);

Related

Azure AD B2C strips html tags from Custom UI template

While trying to customise the unified (Sign In & Sign Up page), I have this simple HTML in my unified.html template (fragment):
<div class="col-4 login-box gradient-background">
<div>
<h1>WELCOME TO<br/>SuperFancyProductName<sup>®</sup></h1>
</div>
<div id="api" data-name="Unified"></div>
</div>
However, when Azure AD B2C renders the Sign In page, the element is stripped of from inside the h1 element, with this result (fragment):
<div>
<h1>WELCOME TO<br>SuperFancyProductName®</h1>
</div>
In our case, this does not allow us to properly align the ® symbol.
Is there any documentation on what tags are allowed in the template html and how this template transformation actually works?
There is a subset of HTML that is allowed but is not documented.
It looks like the superscript tag is not allowed here. For reference, see this Github issue.
The docs team is still working on an update to show what's allowed.
You can upvote some of the requests in User Voice or create your own request: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31173091-improve-the-tag-filtering-on-the-b2c-custom-ui-tem

Implementing Oauth Server with Authorization Code grant

A bit naive question. I am implementing OAuth server 2.0 with grant type = Authorization code grant. Here's what I have done
1) Created 2 endpoints as /login and /token
2) Created a login page with html as
<html>
<form action=\"/login\" method=\"post\">
<div class=\"textcontainer\">
<label><b>Sign in</b></label>
</div>
<div class=\"emailcontainer\">
<input type=\"text\" placeholder=\"Enter email\"
name=\"uname\" required>
</div>
<div class=\"passwordcontainer\">
<input type=\"text\" placeholder=\"Enter Password\"
name=\"psw\" required>
</div>
<div class=\"signincontainer\">
<button type=\"submit\">Sign in</button>
<input type=\"checkbox\" checked=\"checked\"> Remember me
</div>
<div class=\"container\" style=\"background-color:#f1f1f1\">
<span class=\"psw\">Forgot password?</span>
</div>
</form>
3) The above page will be displayed when client sends
GET
/login?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=STATE_STRING&scope=REQUESTED_SCOPES&response_type=code
4) I will save the state and redirect URI and the html page is displayed.
5) When user enters email and password and clicks submit button, then a POST will be issued to my server as POST /login and I will fetch the email and password from the request and verify.
Now the problem is I am not able to figure out a way to know if this POST has come from the same client who has called the previous GET.
Is there any way/html trick I can do to resend the state again in my submit button post? Is saving client IP the only way?
I understand the POST /token so that part is clear.
Thanks
Sammy
You can generate a unique identifier (GUID) on the server, before sending the form.
Then put it into the form inside a hidden input :
<form>
... your code
<input type="hidden" value= "<%= <your identifier> %>">
</form>
Then this unique value will be returned to you in the POST.
the way you insert the identifier depends on your programming language, I used C# an the above example.

Moneris - Setting up a Test Hosting Pay Page

I'm trying to make a fix to a moneris website, but I have to change the mode of moneris to test to test the changes before pushing in production.
I'm trying the code on the example page as is and got an error. "Invalid store credentials."
<FORM METHOD="POST" ACTION= https://esqa.moneris.com/HPPDP/index.php >
<INPUT TYPE="HIDDEN" NAME="ps_store_id" VALUE="AF4Fs1024">
<INPUT TYPE="HIDDEN" NAME="hpp_key" VALUE="Hsjh4GSr4g">
<INPUT TYPE="HIDDEN" NAME="charge_total" VALUE="1.00">
<!--MORE OPTIONAL VARIABLES CAN BE DEFINED HERE -->
<INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Click to proceed to Secure Page">
</FORM>
So if this is not how you can make a test payment to test the process, how can you?
PS: Seems there's no moneris tag.
You need to goto the developers page of Moneris and create a test environment first Developer Page
After creating the test store you'll need to input the store id and hp key in the values of the form you posted.

j_security_check invalid direct reference

I currently have a login form on a public, unprotected http page. Upon login I want the page to redirect to a secure https page. I am receiving this error screen when I try to login however:
I'm 90% sure my syntax is accurate. I have this exact form as a login page elsewhere on the site. This implementation is for a drop down box that enables the user to login. Here is my form for reference. Any help is appreciated, Thanks.
<div class="login-options">
<form id="login" name="j_security_form" action="<%out.write(Dropdown.getXML("https://www.xxx.com/public/j_security_check")); %>" method="post" accept-charset="UTF-8">
<strong>Account Login</strong><br>
Username:<br>
<input type="text" name="j_username"><br>
Password:<br>
<input type="password" name="j_password"><br>
<br>
<input type="submit" value="Login"><br>
<br>
New users register here<br>
Forgot password?
<input type="hidden" name="auth_mode" value="basic">
<script>
var newloc = document.location.href;
newloc =newloc.replace('index.jsp','index.jsp');
document.write('<input type="hidden" name="orig_url" value="'+newloc+'">');
</script>
</form>
</div>
Might be because you're trying to directly reference the url for j_security_check. I would try referencing a page that requires login creds, then it'll redirect to the secure page once it sees that there are adequate credentials.

Cannot track the user securely who made the purchase in PayPal IPN

I am building a website which utilizes paypal payment system and I came up with one security challenge issue:
I have the following form from paypal IPN:
<form class="form-horizontal" action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="ABCDEFEGDEDS">
<input type="hidden" name="on0" value="Balance">
<label>Amount</label>
<select class="form-control" name="os0" id="deposit_paypal">
<option value="1000">$1000.00 USD</option>
<option value="2000">$2000.00 USD</option>
</select>
<input type="hidden" name="custom" value="<?php echo $user->id; ?>">
<input type="image" src="https://www.paypalobjects.com/ru_RU/i/btn/btn_buynow_SM.gif" border="0" name="submit" alt="PayPal">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
I wanted to know which user has made the transaction. Searching the internet, I've found that I can create a custom field as I did above. The reason I track the user is I should add balance to his virtual account after purchase completed.
But the problem is: What if malicious code(javascript malware) just changes the user id in the custome form field to 4?
The balance will be added to that user which has the id of 4 not previous one.
Ok. One would recommend me inserting the form data to db before sending to paypal for later comparison.
Second problem arises. What if the user just exits the paypal page without completing the order after pressing the submit button? This is something I cannot track since paypal does not belong to me and it opens in other page.
Please, any other solution to these issues? I want some best practice where I can track securely which user has made the purchase through paypal IPN.
You could store the data in your database within a temp table, then once the IPN completes you can move it over to the permanent table. Set up a cron job or scheduled task to go through your system every 24 hours or so and delete any records that have not completed in that time.

Resources