This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 36%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
In extesntion I'm overrided SelfAsserted-LocalAccountSignin-Email profile
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<ValidationTechnicalProfiles>
<!-- Initiate a normal logon against Azure AD B2C -->
<ValidationTechnicalProfile ReferenceId="login-NonInteractive" ContinueOnError="true" />
<!-- Check if account is locked out. Note: This validation technical profile also return the bad user name and password -->
<ValidationTechnicalProfile ReferenceId="REST-AccountLockout">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>objectId</Value>
<Value>badPassword</Value>
<Action>SkipThisValidationTechnicalProfile</Action>
</Precondition>
</Preconditions>
</ValidationTechnicalProfile>
</ValidationTechnicalProfiles>
</TechnicalProfile>
Blockquote
and added default value for oid in login-NonInteractive
<TechnicalProfile Id="login-NonInteractive">
<InputClaims>
<!--Replace with your Application ID of the ProxyIdentityExperienceFramework-->
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="{ProxyIdentityExperienceFramework}" />
<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="{IdentityExperienceFramework}" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" DefaultValue="badPassword"/>
</OutputClaims>
</TechnicalProfile>
Blockquote
But if the credentials are not correct, I never get into the next validation profile
Hello @kirill.kolesnikov , please ensure the metada entry for grant_type is not present (remove or comment it) in the login-NonInteractive Technical Profile (Usually stored in the TrustFrameworkBase policy).
Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.
@Alfredo Revilla - Senior Freelance SWE, SWA, IAM Yes if remove or comment grant_type from login-NonInteractive I can use next validation profile, but it always return valid objectId and https://github.com/azure-ad-b2c/samples/blob/1c547e0001bd8b0b426bc4c7daa3299cecd225f5/policies/lockout/ADB2C.Lockout/ADB2C.Lockout/Controllers/IdentityController.cs#L78 based on objectId we deside sucsesfull login
Hello @kirill.kolesnikov , that can happen if the objectId claim is being read from the session cookie. In such case the objectIdFromSession claim will be present in the claim bag. Clearing cookies can help unless you're seeing the behavior even after entering wrong credentials.
Hello @kirill.kolesnikov , REST-AccountLockout is being skipped due to its precondition: objectId claim value is never set to badPassword.
Let us know if this answer was helpful to you. If so, please remember to accept it so that others in the community with similar questions can more easily find a solution.
@Alfredo Revilla - Senior Freelance SWE, SWA, IAM Yes, but even if I delete the precondition, I still don't get into REST-AccountLockout
It feels like if the login password values are not correct, an error is immediately thrown from login-NonInteractive ignoring ContinueOnError="true"
Hi @kirill.kolesnikov , I will try to reproduce the issue on my side and come back to you with my findings.
@Alfredo Revilla - Senior Freelance SWE, SWA, IAM I'm trying to use this sample https://github.com/azure-ad-b2c/samples/tree/master/policies/lockout
Hello @kirill.kolesnikov , apologies for the delay. Ok great I will take a look to the sample today.