{Culture:RFC5646} is returning two different values for English. Currently, when a user uses ProfileEdit or SignUpSignIn they are returning different values.
For example:
ProfileEdit returns: en-us
SignUpSignIn returns: en
I am using this in the LoadUri of ContentDefinitions so that we can have the user redirected to a customized and translated html page. However, with the two return values I am having to maintain two directories "/en" and "/en-us" instead of one.
I have verified that all the parent and child policies ContentDefinition's LoadURIs are using {Culture:RFC5646}.
We have tested multiple users from different locations.
I have researched the Azure B2C IEF localization documents, and it makes a reference to how the language is determined but it does not shed light on why the same user, with the same browser will return different values for {Culture:RFC5646}
Here is the Content Definition Load Uri for SignUpSignIn
<ContentDefinition Id="api.localaccountsignup">
<LoadUri>https://*****/b2c/IEF/{Culture:RFC5646}/selfasserted.html</LoadUri> <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:1.1.0</DataUri>
<Metadata>
<Item Key="DisplayName">Local account sign up page</Item>
</Metadata>
</ContentDefinition>
And here is the code for Profile Edit
<ContentDefinition Id="api.selfasserted.profileupdate">
<LoadUri>https://*****/b2c/IEF/{Culture:RFC5646}/updateprofile.html</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:1.1.0</DataUri>
<Metadata>
<Item Key="DisplayName">Collect information from user page</Item>
</Metadata>
</ContentDefinition>
What I would like is that the {Culture:RFC5646} return the same value for the same user. For example, SignUpSignIn returns "en-us" and ProfileEdit returns "en-us" that way I can maintain one directory instead of two.
I discovered the problem was being caused by the different policies were inheriting different Base Policies. Once I had them inheriting the same Base Policy, it is working as intended.
Related
Use case : As a developer i want to to extract the redirect_uri from the b2c idp url and then apply claim transformation preferably a string one to extract certain information and use that to build the loadURi under content definition and display the html pages dynamically
Below is the b2c idp url https://something.b2clogin.com/something.onmicrosoft.com/B2C_1A_Signup_Signin/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile&client_id=some_id&redirect_uri=https%3A%2F%2Fsomething.somedomain.com&state=somestate0%3D&nonce=some_id&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.4.4&client-request-id=some_client_request_id&response_mode=fragment
From the above redirect_uri = https://something.somedomain.com-- using a claim transformation i want to extract somedomain
make the call to the parameter in the relying party.xml as below
<DefaultUserJourney ReferenceId="SignUpOrSignIn" />
<UserJourneyBehaviors>
<ContentDefinitionParameters>
<Parameter Name="redirect_uri">{OIDC:RedirectUri}</Parameter>
</ContentDefinitionParameters>```
Build the LoadUri in contentdefinition of api.selfasserted
```<ContentDefinition Id="api.selfasserted">
<LoadUri>https://somestoragaccount/{OIDC:RedirectUri}/unified.html</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.0.0</DataUri>
<Metadata>
<Item Key="DisplayName">Collect information from user page</Item>
</Metadata>
</ContentDefinition>```
• I would suggest you to please refer to the string claims transformations as stated in the below document as described for your reference: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/string-transformations
In that, the string comparison, claims transformation, change case, comparison and other scenarios are explained in detail.
Also, refer to the below claim resolver documentation link that explains the various parameters to be included in the technical profile for direct sign-in and other scenarios: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
In our B2C environment, we are testing using custom screens to change the user interface of each screen in our custom policies.
So far I have been able to update these and test them. However when it comes to the error page:
<ContentDefinition Id="api.error">
<LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.0</DataUri>
<Metadata>
<Item Key="DisplayName">Error page</Item>
</Metadata>
</ContentDefinition>
I have updated the LoadUri line to point to our custom screen:
<LoadUri>https://xxxxx.blob.core.windows.net/xxxxx/custom-error.html</LoadUri>
However, how can I go about testing what this displays? For the other screens it is possible as you step through each policy. But the error screen should only show when a relevant error occurs. How can I initiate an error to do this?
You can test the Error page by going to the Authorization endpoint without passing a client Id. For example:
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/B2C_1_signup_signin/oauth2/authorize
I am using custom policies and I have defined the location of the custom exception page as follows:
<ContentDefinition Id="api.error">
<LoadUri>https://{Settings:BlobStorageAccount}.blob.core.windows.net/{Settings:BlobContainer}/html/global_exception.html</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.0</DataUri>
<Metadata>
<Item Key="DisplayName">Error page</Item>
</Metadata>
</ContentDefinition>
However, how do you go about triggering an internal API exception within Azure AD B2C to see this page in action? I tried also using a default user policy and adjust the location but there doesn't seem to be a way to view the page that way as well.
You can set the client_id parameter in the authorization request to an unknown value where this should display the error page with the following text:
AADB2C90018: The client id '<client_id>' specified in the request is not registered in tenant '<your_tenant_name>.onmicrosoft.com'.
I followed the sample in the documentation to integrate custom email through DisplayControl on the signin and signup flow. This flow works as described.
I am also using the reset password flow. It should use the same custom email so I tried to transfer the changes from the signin/up flow to the password reset flow.
The VerificationDisplayControl is not rendered on the page!
What I changed: In TechnicalProfile LocalAccountDiscoveryUsingEmailAddress I added
<DisplayClaims>
<DisplayClaim DisplayControlReferenceId="emailVerificationControl" />
</DisplayClaims>
reusing the already present configuration.
What did I miss? Any suggestions?
Make sure you updated the content definition page contract version for that technical profile which supports display controls.
<Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
<ContentDefinition Id="api.localaccountpasswordreset">
<LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.0.0</DataUri>
<Metadata>
<Item Key="DisplayName">Local account change password page</Item>
</Metadata>
</ContentDefinition>
I am able to retrieve refresh tokens for my custom B2C policies but would like to increase the token lifetime to the max limit or set the sliding window lifetime to No Expiry.
This was able to be done via the Azure Portal B2C settings for Basic policies but is not available in the portal for custom policies.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-token-session-sso#token-lifetimes-configuration
How can I configure this in my policies?
Check out this article.
Specifically add the following in your RP technical profile.
<Item Key="token_lifetime_secs">3600</Item>
Can look like this (copied from docs)
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Token Issuer</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="JwtIssuer">
<Metadata>
<Item Key="token_lifetime_secs">3600</Item>
<Item Key="id_token_lifetime_secs">3600</Item>
<Item Key="refresh_token_lifetime_secs">1209600</Item>
<Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
<Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
<Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
What Parakh said is correct but please take note of the banner on the page that he linked to which says the following about SPA apps with PKCE:
Note
Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps do not experience this limitation. Learn more about the security implications of refresh tokens in the browser.
That means that settings such as the following may not be respected for those apps:
refresh_token_lifetime_secs
rolling_refresh_token_lifetime_secs
allow_infinite_rolling_refresh_token
This last one is never respected for SPA w/ PKCE