Login/Register
Azure AD B2C Password Reset policy without email verification step
Asked Answered
Solved azure-ad-b2cidentity-experience-framework
C

1

7

Is it possible to create custom policy to reset password for already known email?

I create user using Graph API and send invitation email to the specified email address.

I want user to click on the link in that email and just set password for his account.

I can create signed token with this email claim and send as assertion to my custom policy. So policy gets email as input claim. I see it in the trace.

But I am not able to bypass email verification step in the password reset journey - when I remove it, I get 500 server error without additional detail.

I tried to send objectId for the user as input claim as well, but it does not help either.

Is there a way to skip email verification?

Chancery answered 19/4, 2018 at 14:28 Comment(3)
Would you provide details on how you accomplished this step: I can create signed token with this email claim and send as assertion to my custom policy. So policy gets email as input claim. I see it in the trace. I'm trying to create an invitation email with a reset password link for migrated users and I can't seem to find info on how to pass email address to the password reset custom policy.Atalanti
My starter point was this example - github.com/Azure-Samples/active-directory-b2c-advanced-policies/…. I sent email with the signed link, and when user clicks on that link, i validated that it contains email and signature is good. Then I redirected to the custom policy.Chancery
In custom policy I used client assertion to send token to the B2C, the example can be found here github.com/Azure-Samples/active-directory-b2c-advanced-policies/… in RedirectToIdentityProvider method.Chancery
L
8

You have the following options that vary the user experience:

  1. Display the email address as a read-only field and remove the email verification requirement.
  2. Remove the email verification step.

Display the email address as a read-only field

1) Create a readOnlyEmail claim type:

<ClaimType Id="readOnlyEmail">
  <DisplayName>Email Address</DisplayName>
  <DataType>string</DataType>
  <UserInputType>Readonly</UserInputType>
</ClaimType>

2) Create a claims transformation that copies from the email claim to the readOnlyEmail claim:

<ClaimsTransformation Id="CopyFromEmailToReadOnlyEmail" TransformationMethod="FormatStringClaim">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="inputClaim" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="stringFormat" DataType="string" Value="{0}" />
  </InputParameters>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="readOnlyEmail" TransformationClaimType="outputClaim" />
  </OutputClaims>
</ClaimsTransformation>

3) Add the CopyFromEmailToReadOnlyEmail claims transformation as an input claims transformation to the LocalAccountDiscoveryUsingEmailAddress technical profile and then replace the email claim type with readOnlyemail as the input and output claims for this technical profile:

<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
  <DisplayName>Reset password using email address</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
    <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <IncludeInSso>false</IncludeInSso>
  <InputClaimsTransformations>
    <InputClaimsTransformation ReferenceId="CopyFromEmailToReadOnlyEmail" />
  </InputClaimsTransformations>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="readOnlyEmail" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="readOnlyEmail" Required="true" />
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>

Remove the email verification step

1) Change the first step for the PasswordReset journey from:

<OrchestrationStep Order="1" Type="ClaimsExchange">
  <ClaimsExchanges>
    <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
  </ClaimsExchanges>
</OrchestrationStep>

to:

<OrchestrationStep Order="1" Type="ClaimsExchange">
  <ClaimsExchanges>
    <ClaimsExchange Id="UserReadUsingEmailAddressExchange" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
  </ClaimsExchanges>
</OrchestrationStep>
Lewan answered 19/4, 2018 at 23:18 Comment(6)
Thank you, now it does not require to send verification code, but it still shows page to enter email itself. Can I skip the page with email entering?Chancery
I want to be sure that the mail is not changed, and it can be, so user may change other user's password. It is not what I want.Chancery
Hi @Chancery I've updated the above answer with a couple of options that depend on whether you are wanting to keep the email verification step or not.Lewan
I've just sort of invented Option 1 myself, but Option 2 with complete step removal is much better! Thank you, appreciate your help!Chancery
@ChrisPadgett i'm interested in option 2, however I receive Claim type "email" is the input claim of technical profile "AAD-UserReadUsingEmailAddress" in step "1" of user journey "PasswordReset" but it is not an output claim in any of the previous steps.Claim type "email" is the output claim of the relying party's technical profile, but it is not an output claim in any of the steps of user journey "PasswordReset". i'm using github.com/Azure-Samples/… as a starting point for these. any help is appreciated!Amitosis
Hi @ctoph. You must pass the email claim into the user journey, since you aren't prompting for it, refer to this sample policy for instructions about how to do this.Lewan

© 2022 - 2024 — McMap. All rights reserved.