C
C#16mo ago
Jii

❔ Azure AD B2C user - password reset

Hello, I need some help with Azure AD B2C user flows and custom policies. In my current project, I have to change how the password reset process works. I want to customize this process by using own REST API endpoint that checks and verifies the email address. Has anyone done something like this before? If you have, could you please share your thoughts here? I'm looking to talk about how to get started because I'm new to Azure AD B2C and don't know where to begin. Thank you!
12 Replies
joeystdio
joeystdio16mo ago
I did not build it yet but for an upcoming project I had researched a similar scenario. Not sure what your use case is exactly but I would suggest leaving the authentication process / reset password flow at the AAD B2C side and integrate with an external system to store additional information related to that user. https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview#integrate-with-external-user-stores
What is Azure Active Directory B2C?
Learn how you can use Azure Active Directory B2C to support external identities in your applications, including social sign-up with Facebook, Google, and other identity providers.
joeystdio
joeystdio16mo ago
So in our case after a user is authenticated and redirected back to our application, with a valid token we can request some kind of profile-service if this user can or cannot access something.
Tvde1
Tvde116mo ago
This is certainly possible, just Azure B2C is a monser to make custom policies for :) we have this one for example: 
                <TechnicalProfile Id="CRM-VerifyLegacyLogin">
                    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
                    <DisplayName>Verifies the password with our legacy system</DisplayName>
                    <Metadata>
                        <Item Key="ServiceUrl">{{CRMServiceUri}}/aad/VerifyLegacyLogin</Item>
                    </Metadata>
                    <InputClaims>
                        <InputClaim ClaimTypeReferenceId="signInName" />
                        <InputClaim ClaimTypeReferenceId="password" />
                    </InputClaims>
                    <OutputClaims>
                        <OutputClaim ClaimTypeReferenceId="tokenSuccess" DefaultValue="false" />
                    </OutputClaims>
                </TechnicalProfile>
                <TechnicalProfile Id="CRM-VerifyLegacyLogin">
                    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
                    <DisplayName>Verifies the password with our legacy system</DisplayName>
                    <Metadata>
                        <Item Key="ServiceUrl">{{CRMServiceUri}}/aad/VerifyLegacyLogin</Item>
                    </Metadata>
                    <InputClaims>
                        <InputClaim ClaimTypeReferenceId="signInName" />
                        <InputClaim ClaimTypeReferenceId="password" />
                    </InputClaims>
                    <OutputClaims>
                        <OutputClaim ClaimTypeReferenceId="tokenSuccess" DefaultValue="false" />
                    </OutputClaims>
                </TechnicalProfile>
This technicalprofile returns a tokenSuccess claim which is true or false depending on what the API call returned in the JSON body you can then use that in 
                        <ValidationTechnicalProfile ReferenceId="AAD-WritePassword">
                            <Preconditions>
                                <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
                                    <Value>tokenSuccess</Value>
                                    <Action>SkipThisValidationTechnicalProfile</Action>
                                </Precondition>
                            </Preconditions>
                        </ValidationTechnicalProfile>
                        <ValidationTechnicalProfile ReferenceId="AAD-WritePassword">
                            <Preconditions>
                                <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
                                    <Value>tokenSuccess</Value>
                                    <Action>SkipThisValidationTechnicalProfile</Action>
                                </Precondition>
                            </Preconditions>
                        </ValidationTechnicalProfile>
this is a treacherous path and it'll take a lot of digging on the internet and trying possibilities to get it right
joeystdio
joeystdio16mo ago
Absolutely true about the custom policies, the documentation is a study on its own. Pretty cool what you're doing here in that policy... so you're logging in with AAD B2C but actually use the legacy system to verify username/password and provide tokens right?
Tvde1
Tvde116mo ago
in this case, it's an excerpt from the login system where if a password is incorrect, we check the old system. If it's correct there, we update the password in B2C and let the user through we also do similar things in the forgot password flow, e.g. make a callback to our system to record it to an event log
joeystdio
joeystdio16mo ago
Oh this is very handy to migrate from a legacy system to AAD
Tvde1
Tvde116mo ago
yes, seamlessly so the users don't notice
joeystdio
joeystdio16mo ago
Thanks for sharing ! Will definitely be using this in the nearby future 😄
Unknown User
Unknown User16mo ago
Message Not Public
Sign In & Join Server To View
MODiX
MODiX16mo ago
Use the /close command to mark a forum thread as answered
joeystdio
joeystdio16mo ago
Not my thread 😄
Accord
Accord16mo ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server