C
C#11mo ago
Jii

❔ Azure AD B2C user - password reset

Hello, I need some help with Azure AD B2C user flows and custom policies. In my current project, I have to change how the password reset process works. I want to customize this process by using own REST API endpoint that checks and verifies the email address. Has anyone done something like this before? If you have, could you please share your thoughts here? I'm looking to talk about how to get started because I'm new to Azure AD B2C and don't know where to begin. Thank you!
12 Replies
joeystdio
joeystdio11mo ago
I did not build it yet but for an upcoming project I had researched a similar scenario. Not sure what your use case is exactly but I would suggest leaving the authentication process / reset password flow at the AAD B2C side and integrate with an external system to store additional information related to that user. https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview#integrate-with-external-user-stores
What is Azure Active Directory B2C?
Learn how you can use Azure Active Directory B2C to support external identities in your applications, including social sign-up with Facebook, Google, and other identity providers.
joeystdio
joeystdio11mo ago
So in our case after a user is authenticated and redirected back to our application, with a valid token we can request some kind of profile-service if this user can or cannot access something.
Tvde1
Tvde111mo ago
This is certainly possible, just Azure B2C is a monser to make custom policies for :) we have this one for example: 
                <TechnicalProfile Id="CRM-VerifyLegacyLogin">
                    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
                    <DisplayName>Verifies the password with our legacy system</DisplayName>
                    <Metadata>
                        <Item Key="ServiceUrl">{{CRMServiceUri}}/aad/VerifyLegacyLogin</Item>
                    </Metadata>
                    <InputClaims>
                        <InputClaim ClaimTypeReferenceId="signInName" />
                        <InputClaim ClaimTypeReferenceId="password" />
                    </InputClaims>
                    <OutputClaims>
                        <OutputClaim ClaimTypeReferenceId="tokenSuccess" DefaultValue="false" />
                    </OutputClaims>
                </TechnicalProfile>
                <TechnicalProfile Id="CRM-VerifyLegacyLogin">
                    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
                    <DisplayName>Verifies the password with our legacy system</DisplayName>
                    <Metadata>
                        <Item Key="ServiceUrl">{{CRMServiceUri}}/aad/VerifyLegacyLogin</Item>
                    </Metadata>
                    <InputClaims>
                        <InputClaim ClaimTypeReferenceId="signInName" />
                        <InputClaim ClaimTypeReferenceId="password" />
                    </InputClaims>
                    <OutputClaims>
                        <OutputClaim ClaimTypeReferenceId="tokenSuccess" DefaultValue="false" />
                    </OutputClaims>
                </TechnicalProfile>
This technicalprofile returns a tokenSuccess claim which is true or false depending on what the API call returned in the JSON body you can then use that in 
                        <ValidationTechnicalProfile ReferenceId="AAD-WritePassword">
                            <Preconditions>
                                <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
                                    <Value>tokenSuccess</Value>
                                    <Action>SkipThisValidationTechnicalProfile</Action>
                                </Precondition>
                            </Preconditions>
                        </ValidationTechnicalProfile>
                        <ValidationTechnicalProfile ReferenceId="AAD-WritePassword">
                            <Preconditions>
                                <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
                                    <Value>tokenSuccess</Value>
                                    <Action>SkipThisValidationTechnicalProfile</Action>
                                </Precondition>
                            </Preconditions>
                        </ValidationTechnicalProfile>
this is a treacherous path and it'll take a lot of digging on the internet and trying possibilities to get it right
joeystdio
joeystdio11mo ago
Absolutely true about the custom policies, the documentation is a study on its own. Pretty cool what you're doing here in that policy... so you're logging in with AAD B2C but actually use the legacy system to verify username/password and provide tokens right?
Tvde1
Tvde111mo ago
in this case, it's an excerpt from the login system where if a password is incorrect, we check the old system. If it's correct there, we update the password in B2C and let the user through we also do similar things in the forgot password flow, e.g. make a callback to our system to record it to an event log
joeystdio
joeystdio11mo ago
Oh this is very handy to migrate from a legacy system to AAD
Tvde1
Tvde111mo ago
yes, seamlessly so the users don't notice
joeystdio
joeystdio11mo ago
Thanks for sharing ! Will definitely be using this in the nearby future 😄
Unknown User
Unknown User11mo ago
Message Not Public
Sign In & Join Server To View
MODiX
MODiX11mo ago
Use the /close command to mark a forum thread as answered
joeystdio
joeystdio11mo ago
Not my thread 😄
Accord
Accord11mo ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server
More Posts
✅ How to "preview" text in a DataGrid```xml <DataGridTextColumn CanUserReorder="False" CanUserResize="False" Width="*" Header="Diary Entr✅ An API refuses my Connection from MAC but not Windows.Hello there!! Could you give me a hand with this? I'm using MAUI & Blazor. Previously, I didn't ge✅ ✅ User's required to have .NET installed when launching application???https://github.com/mekasu0124/Todo I created my own Todo application, and using Visual Studio to bu❔ Find last element in dictionnary, using a list as pathHey, I have a dictionnary: ```c# Dictionary<string, object> tree => new() { { "show", ❔ AWS DDB and Lambda integration doesn't workAs mentioned in the title, I have created a DDB - Lambda - API gateway construct according to this t❔ c# .net6 cryptograpy exampleHello. I'm searching for an example for encryption. I already looked at: https://learn.microsoft.co❔ Call base method in multiple inheritanceExample of what i have: ```CSharp public class A { public virtual void Foo() { Console.Writ❔ Change datatype during program executionI have following two properties: private ContextType ExportContext = 0; private List<T> SelectedIte❔ Is there a way to override a Variable in the .csproj by a project that is reference this project?Is there a way to override a Variable in the .csproj by a project that is reference this project?❔ C# Database Query Optimization [Dapper & ReactJS]I am currently working on a C# .NET app with React and I have a table of products in an overview pag