Is there any way to make the password field text in B2C login (local account) visible to the user (show pwd kind of thing)? I cannot use JS so the usual approaches do not seem possible.
Related
Is there a way to use the generated random password while creating the account using Signup Custom policies?.
I understand that this is possible using Graph API but we are looking at the possibilities using the policies.
If you are referring to the password a user would use to login to their account, then no. As detailed here the only thing custom policies can do with user passwords is write them to the directory. You cannot read a user's password from custom policies (or from anywhere as far as I am aware).
I'm not sure which random password specifically is being referred to (if you are following an example, posting it may help), but you would have to store it elsewhere (which obviously carries security issues with it) and then retrieve it using an API of some sort during policy execution
I am using Microsoft Azure authentication for user Login ,
After login of user there is change password section in my application where user provide his current password and new password so my query is
Is there is any Api(Graph) to GET Current Password for that user OR Any API(Graph) through which we authenticate current Password which provided by user
Is there any other scenario which help me to authenticate current password which was given by user while changing password
Or any other way to get current password for that user
thanks
There is no way to get the current password for users.
It would be a massive security vulnerability and imply they store them insecurely.
There is a way to authenticate a user like that, but it won't work if the user has e.g. MFA.
I would suggest a different approach.
Check how old the authentication is (id token has the time it was issued).
If it is older than, say, 15 minutes, require the user to authenticate with AAD (prompt=login).
You can also require MFA for the login if you know all your users use it.
Then they should be able to give a new password, which you can then set with Graph API.
So instead of making a call to check the current password, require a fresh ID token and rely on AAD to check the user credentials.
Also, the users should be able to change it themselves already as written in docs: https://learn.microsoft.com/en-us/azure/active-directory/user-help/active-directory-passwords-update-your-own-password
I would like to customize the password policy for my B2C Custom Login Flow. I can see how to change things like password length etc (see Password Polices)
But I also want to prevent the user from using any of the last 8 passwords. How would I do this?
This capability is currently not supported in Azure AD B2C.
Here is the feedback, please go and upvote this.
The best you can do with built in functions is: https://github.com/azure-ad-b2c/samples/tree/master/policies/password-reset-not-last-password
For more than last password history, the only workaround is to store the hashes yourself and use a REST API to examine the hash against the new password being provided. Something that we dont recommend doing, and rather using better techniques such as MFA.
From our native code, when attempting to change a user's password in a password reset flow, the password's complexity is not applied when we use an Admin account to change that password.
We are using the procedure as explained here: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations#ResetUserPassword
In other words, when we attempt to change a password of a user using the user's identity token, the conditions for a password are applied.
But if we attempt to change that password by an Admin instead of the user's JWT, in a password reset situation, the minimum password requirements are not applied.
I suspect that maybe this has something to do with User Flows, but I am not certain.
Any ideas ?
Using admin to reset the user password with the AAD graph API, when the new password not complied with the complexity policy, it prompts an error.
Using admin to reset the user password with the Microsoft graph API, when the new password not complied with the complexity policy, it also prompts an error.
I have a JSF application I have configured with a JPASecurityRealm I use to log users in. This works fine with native user accounts. I now added a login with facebook functionality. When users login with facebook for the first time, I create them a new native user account for our website with the data returned by facebook. Which works fine, but I have problems authenticating the user on our server now. Usually I use request.login(userID,userPassword); but because users don't have a password with their native account now, I don't know how to authenticate them? Is there something like request.login(userID), which logs the user in without needing a password?
but because users don't have a password with their native account now,
I don't know how to authenticate them? Is there something like
request.login(userID), which logs the user in without needing a
password?
You could generate a random password, persist it and notify them. Then just also give them the possibility to change it later .