Share via

Azure b2c Custom Policies Error Message

Miguel Gregório 21 Reputation points
2020-11-28T23:47:43.567+00:00

Hi !

I programmed the b2c customized policies and I am currently defining the error messages. However, the login error message displays a message that does not count in the standard messages: https://learn.microsoft.com/en-us/azure/active-directory-b2c/localization-string-ids

The message is: The username or password provided in the request are invalid.

I used the strarter pack policies (local account).
If the credentials are correct, no problems arises.

how can i change this message?

Thanks!!
43483-capture.png

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,678 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,828 questions
Accepted answer
  1. AmanpreetSingh-MSFT 56,326 Reputation points
    2020-11-30T14:55:10.203+00:00

    Hi @Miguel Gregório · Thank you for sharing the required information.

    By investigating into it, I found the error occurs only when the policy is configured with ROPC flow. There is an open ticket regarding this issue with the product team.

    As of now, you can try removing <Item Key="grant_type">password</Item> from <TechnicalProfile Id="login-NonInteractive">. As long as, the first OrchestrationStep in an ROPC user journey is the ClaimsExchange with the ROPC technical profile, it should be absolutely fine to remove it.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

6 additional answers

Sort by: Newest
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,246 Reputation points Microsoft Employee
    2021-02-17T13:52:31.227+00:00
    0 comments
  2. Michał Dzierżak 1 Reputation point
    2021-01-18T18:17:31.453+00:00

    Hi :-)
    Any news on the above problem?
    We have facing the same issue. Message The username or password provided in the request are invalid. cannot be translated by custom policy. After some investigation I've found that it is returned as an exception during executing login-NonInteractive profile: 

    {
    "Key": "Exception",
    "Value": {
        "Kind": "Handled",
        "HResult": "80131500",
        "Message": "The username or password provided in the request are invalid.",
        "Data": {
        "IsPolicySpecificError": false
        }
    }
}

    Regards,
    Michał

  3. Wilson de Seabra 1 Reputation point
    2020-11-30T14:39:45.29+00:00

    @AmanpreetSingh-MSFT
    The validation then, here goes:

    <TechnicalProfile Id="login-NonInteractive">
    <DisplayName>Local Account SignIn</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <Metadata>
    <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item>
    <Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item>
    <Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item>
    <Item Key="ProviderName">https://sts.windows.net/</Item>
    <Item Key="METADATA">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>
    <Item Key="authorization_endpoint">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>
    <Item Key="response_types">id_token</Item>
    <Item Key="response_mode">query</Item>
    <Item Key="scope">email openid</Item>
    <Item Key="grant_type">password</Item>
    <!-- Policy Engine Clients -->
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="HttpBinding">POST</Item>
    </Metadata>
    <InputClaims>
    <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />
    <InputClaim ClaimTypeReferenceId="password" Required="true" />
    <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
    <InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
    </InputClaims>
    <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
    <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" />
    <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_Name" />
    <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_Name" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="Name" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
    <OutputClaim ClaimTypeReferenceId="extension_Role" />
    <OutputClaim ClaimTypeReferenceId="extension_ClientId" />
    <OutputClaim ClaimTypeReferenceId="extension_FactoryId" />
    <OutputClaim ClaimTypeReferenceId="extension_DepartmentId" />
    </OutputClaims>
    </TechnicalProfile>

    0 comments
  4. Wilson de Seabra 1 Reputation point
    2020-11-30T14:27:58.377+00:00

    @AmanpreetSingh-MSFT Same issue here. We're using a custom Technical Profile, and using a custom form on ContentDefinition "api.signuporsigninwithkmsi":

    <UserJourney Id="SignUpOrSignInWithKmsi">
    <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsigninwithkmsi">
    <ClaimsProviderSelections>
    <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
    </ClaimsProviderSelections>
    <ClaimsExchanges>
    <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />
    </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
    <Preconditions>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
    <Value>objectId</Value>
    <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
    </Preconditions>
    <ClaimsExchanges>
    <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignup-Username" />
    </ClaimsExchanges>
    </OrchestrationStep>
    <!-- This step reads any user attributes that we may not have received when in the token. -->
    <OrchestrationStep Order="3" Type="ClaimsExchange">
    <ClaimsExchanges>
    <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
    </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
    </OrchestrationSteps>
    <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>

    Technical profile: 

        <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Username">  
      <DisplayName>Local Account Signin</DisplayName>  
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
      <Metadata>  
        <Item Key="SignUpTarget">SignUpWithLogonEmailExchange</Item>  
        <Item Key="setting.operatingMode">Username</Item>  
        <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>  
      </Metadata>  
      <IncludeInSso>false</IncludeInSso>  
      <InputClaims>  
        <InputClaim ClaimTypeReferenceId="signInName" />  
      </InputClaims>  
      <OutputClaims>  
        <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true" />  
        <OutputClaim ClaimTypeReferenceId="password" Required="true" />  
        <OutputClaim ClaimTypeReferenceId="objectId" />  
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />  
        <OutputClaim ClaimTypeReferenceId="authenticationSource" />  
        <OutputClaim ClaimTypeReferenceId="extension_Role" />  
        <OutputClaim ClaimTypeReferenceId="extension_ClientId" />  
        <OutputClaim ClaimTypeReferenceId="extension_FactoryId" />  
        <OutputClaim ClaimTypeReferenceId="extension_DepartmentId" />  
      </OutputClaims>  
      <ValidationTechnicalProfiles>  
        <ValidationTechnicalProfile ReferenceId="login-NonInteractive" />  
      </ValidationTechnicalProfiles>  
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />  
    </TechnicalProfile>