Does anyone know if there is a workaround for OneLogin's lack of support of the login_hint parameter during the OIDC implicit flow request?
My main goal is to be able to pre-populate the username/email of the login page.
https://{subdomain}.onelogin.com/login
The redirect generated by the implicit flow requests to the login page does not include the hint information. The login form does however load the email address of the user the last sign in successfully, which is great, but not the best experience for first sign in.
I also noticed that you can pre-populate the mail address directly by calling the login page directly and provide an email query string parameter, however this does not meet our need.
https://{subdomain}.onelogin.com/login?email=user#example.com
I received confirmation from the OneLogin support team that the login_hint query parameter is not currently supported, but may add it in the future.
You can add login_hint to $parameters params:
$auth->login(null, array('login_hint' => $email));
Related
I'm using the ready to use User Flow available for SignUpIn. I've figure out it's possible to pass the email using the querystring parameter login_hint, but the focus stays on the email field and my customer wants to avoid an additional 'tab' in order to speedup the login process.
I also found a sample which splits a login journey in two steps, but I can't find a way to go directly to the second step, as it uses csrf in order to validate the flow started from Azure AD B2C.
Questions:
1-Is it possible to mark email as readonly when passing a value from login_hint querystring parameter?
2-In case question #1 it's not possible, is it possible to set the focus to the password field?
3-using the custom CIAM User Flow, can I go directly to the second assuming I already know the email?
This sample shows how.
Get the login_hint via {OIDC:LoginHint}
Make a readonly claim
Copy login_hint to readonly
Set the readonly as an input claim in the signin/up
I'm currently implementing custom mail verification for B2C following the sample found on github https://github.com/yoelhor/aadb2c-verification-link
When generating the link I would like to pick up the values for redirect_uri and response_type from the original request instead of defining it in appsettings. Is there a way to pass both query parameters on to the mail app?
I've hit this as well, making something similar for password reset. As far as I can tell, those values are not available from claim resolvers, so you can't get them. Unless you use custom query parameters which duplicate the values.
I maintain an app where we use Azure AD B2C to authenticate.
The flow is this:
Users are invited by email
They click a link to sign up using a B2C signin/signup flow
They fill in their info, including email address
They are redirected to our app
Now, what bothers me is that the users have to enter in their email address, even though we already know it. We just invited them using their email address.
It has been suggested that we could send people to a password reset page instead. But that doesn't seem ideal either, since they then have to verify their email address, even though we just verified it. After all, they started the flow by getting an email.
In many cases the users mis-type their email address when they are asked for it. That creates a lot of new issues, because we now have two different email addresses for the same users.
Similar question already answered # How to pass email suggestion to Azure AD B2C SignUp page. Answer https://stackoverflow.com/a/56503578/341185 describes how to send invitations.
Alternate approach using Javascript in custom policies
You can use custom policies along with Javascript to show email of the user in email address text box.
Approach:
While sending invitation link, send an extra query parameter like &email_hint=azureb2ccustomer#b2clogin.com and follow below steps to show this email_hint value in email address text box
Steps:
Enabling Javascript in custom policies https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-samples
Change page contract to allow custom policies to run javascript https://learn.microsoft.com/en-us/azure/active-directory-b2c/page-contract
Update SignupOrSignin user journey to directly take to SignUp page https://stackoverflow.com/a/56503494/341185
Update your blob HTML page to read query parameters and put the value inside email textbox
var urlParams = new URLSearchParams(window.location.search);
document.getElementById("email").value = urlParams.get('email_hint');
Click here for example request
Add your comments if you still require any other kind of approach than described above to fit into your business model.
If you want to use custom policies, you can use the flow for password reset that has:
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=JWT
This puts the email address in a JWT so the user does not have to enter it.
I setup a password reset flow using Azure B2C and local Azure accounts that uses the user's email address and verification code. However, my client would like to have a password reset email sent to the user based on the user name, not email address. The user email would be looked-up behind the scenes and an email sent that would include a link to the password reset page as shown in the flow below.
After reading a gazillion articles on custom Azure B2C policies, I'm struggling to convince myself if it is possible to do what the client is asking for using Azure B2C.
In the sample password reset flow shown below, some of the areas I'm struggling with include:
Is it possible to create custom pages in the password reset flow such as the page in Step 4 that displays the user's masked email address, or the information page in Step 7?
Is there built-in functionality to look-up a user's email address and Active Directory Object ID based on their user name or would I have to call out to a custom Azure Function and use the Graph API to do this?
Is it possible to create and send a custom email that includes a hyperlink to the password reset page that includes the user's Active Directory Object ID as a query string parameter so the password reset page knows which user's password is being reset?
At the moment, it seems like it would be easier to create a completely custom ASP.NET MVC app to handle the requirements than it would be to use Azure B2C custom policies, but that isn't really a path I want to go down.
Is it possible to create custom pages in the password reset flow?
Yes you can create your own custom password reset user flow using azure active
directory B2C
In your case if you want to figure out your custom page you could
refer here
Is there built-in functionality to look-up a user's email address and
Active Directory Object ID based on their user name or would I have
to call out to a custom Azure Function and use the Graph API to do
this?
Using Microsoft Graph REST API you could fetch your user
information.
In your case you could use
List users
Get a user
To access user information you could also refer here in a great
details
Is it possible to create and send a custom email that includes a
hyperlink to the password reset page that includes the user's Active
Directory Object ID as a query string parameter so the password reset
page knows which user's password is being reset?
You can use the company branding feature to customize the
content of verification emails for resetting password.
Note : For better clarity you could check the Azure AD B2C: Frequently asked
questions (FAQ) before final work around Which definitely guide you to
define ultimate go ahead.
Update
As per Microsoft document right now you cannot create according to your sample exactly. See the screen shot there is and important remarks.
Thank you.
This GitHub project covers the case you describe. Still needs a lot of understanding about custom flows to get it working.
https://github.com/yoelhor/aadb2c-verification-link
I have 2 questions:
As per the client requirement, while Sign Up using Azure B2C UI flow (signInNames – Type is userName), user should get suggestions for username once they entered some value in username field(on the basis of existing usernames in B2C AD).
How we can achieve this functionality?
Note: I am using B2C built in Sign Up policy.
Other requirement is that multiple user can have same Email Id (as we are already using signInNames – Type : userName ).
So once user enters the email Id and if that email Id is already associated with other username(s), we need to populate the list of usernames associated with the email. How we can achieve this functionality?
Any help is very much appreciated, I actually got stuck so please offer any suggestion.
You mean the "email address" property, right, not the actual email messages? If so, you should be able to use the /users endpoint: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_get
What is the resource you want to access via the access token ? If resource is https://graph.windows.net/,you could use Azure AD Graph API to get the email information of the signed-in user :
GET https://graph.windows.net/me?api-version=1.6
Authorization: Bearer yourAccessToken
If resource is https://graph.microsoft.com/,you could use Microsoft Graph API to get the email information of the signed-in user:
Get https://graph.microsoft.com/v1.0/me
Authorization: Bearer yourAccessToken
In response you could check UserPrincipalName claim value which is an email address that can receive emails.
For the username suggestion part, if you are talking about when you fill out the username form field and the chrome/IE box pops up above, that is cached at the client and you can't do that. If you are talking about the user tries to register with a username that is already taken and you want to give them suggestions you may, but I doubt it, be able to do it in a custom policy. More than likely, however, you would need to use a custom web application to do that as that is more of an advanced sign in journey.
The second part of your requirements would also need to be fulfilled within a custom web application as well, you can retrieve and access AD items within the custom user journey's but again this is more of an advanced sign in journey.