Azure Adb2c External IDP Authentication Browser Back Button Click redirects to External IDP Again

Logesh Palani 1 MVP

We have AD B2C Authentication with .NET 8 MVC Web Application. We configured Open Id Provider with Custom Policy in Adb2c. The authentication is working successfully. But the problem is, after the External IDP successful authentication, the provider redirects to the web site. Now User clicks on browser back button, the site redirect to external idp, because the history is there in the window (single and multiple click applicable). On multiple click adb2c shows bad request, because session is already exist in the browser window.

Info: we disabled the External IDP SSO login for force login every time, since adb2c manages the users session.

Web site => Adb2c + External IDP => Successful Authentication => Redirects to Web Site => Web Site => Browser Back Button (Single Or Multiple click) <= External Idp or Adb2c Bad Request.

Is there any way to restrict the redirection to external idp or adb2c bad request, I tried the browser back button click disable, that didn't help.

is there any way to handle this adb2c bad request in asp.net core mvc.

James Hamil 22,436 Reputation points Microsoft Employee

2024-05-07T19:58:35.9766667+00:00

Hi @Logesh Palani , are you able to post your custom policy so I can review it?

Logesh Palani 1 MVP

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="demo.onmicrosoft.com"
  PolicyId="SUSI_SIGNUP_SIGNIN_1"
  PublicPolicyUri="http://demo.onmicrosoft.com/"
  DeploymentMode="Production"
  UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights">

  <BasePolicy>
    <TenantId>demo.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_OrionExtensions</PolicyId>
  </BasePolicy>
  <BuildingBlocks>
    <ClaimsSchema>
      <ClaimType Id="app_identity_userid">
        <DisplayName>app_identity_userid</DisplayName>
        <DataType>string</DataType>
        <AdminHelpText>Unique ID representing user, to be consumed by application</AdminHelpText>
      </ClaimType>
     <ClaimType Id="app_identity_email">
        <DisplayName>app_identity_email</DisplayName>
        <DataType>string</DataType>
        <AdminHelpText>Email address associated with user, to be consumed by application</AdminHelpText>
      </ClaimType> 
      <ClaimType Id="app_identity_name">
        <DisplayName>app_identity_name</DisplayName>
        <DataType>string</DataType>
        <AdminHelpText>Name associated with user, to be consumed by application</AdminHelpText>
      </ClaimType> 
    </ClaimsSchema>
  </BuildingBlocks>
  <UserJourneys>
    <UserJourney Id="OrionSignUpOrSignIn">
      <OrchestrationSteps>

        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection TargetClaimsExchangeId="IdpExchange" />
          </ClaimsProviderSelections>
        </OrchestrationStep>

        <!-- Check if the user has selected to sign in using one of the social providers -->
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
 			        <ClaimsExchange Id="IdpExchange" TechnicalProfileReferenceId="Idp-OpenIdConnect" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- For social IDP authentication, attempt to find the user account in the directory. -->
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>localAccountAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="4" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
              <Value>authenticationSource</Value>
              <Value>socialIdpAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
              <Value>authenticationProvider</Value>
              <Value>Idp</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="IdpGetUserInfo" TechnicalProfileReferenceId="Idp-GetUserInfo" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="5" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>doesFirstNameExist</Value>
              <Value>false</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADValidateFirstName" TechnicalProfileReferenceId="AAD-Validate-First-Name" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="6" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>doesFirstNameExist</Value>
              <Value>false</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>isInvalidName</Value>
              <Value>true</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADAssignGivenNameWithFirstName" TechnicalProfileReferenceId="AAD-Assign-GivenName-With-FirstName" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="7" Type="ClaimsExchange">
          <Preconditions>
          <!-- If isInvalidName is true (does not exist or invalid), set email front part as given name -->
          <!-- otherwise, skip -->
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>isInvalidName</Value>
              <Value>false</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADAssignGivenNameWithEmailFrontPart" TechnicalProfileReferenceId="AAD-Assign-GivenName-With-EmailFrontPart" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect 
             from the user. So, in that case, create the user in the directory if one does not already exist 
             (verified using objectId which would be set from the last step if account was created in the directory. -->
        <OrchestrationStep Order="8" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteFederatedIdp" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>
  </UserJourneys>

  <RelyingParty>
    <DefaultUserJourney ReferenceId="OrionSignUpOrSignIn" />
    <UserJourneyBehaviors>
      <JourneyInsights
        TelemetryEngine="ApplicationInsights"
        InstrumentationKey=""
        DeveloperMode="false"
        ClientEnabled="true"
        ServerEnabled="true"
        TelemetryVersion="1.0.0" />
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
        <!-- for local accounts, a dummy token value is provided-->
        <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="idp_hash" DefaultValue="64756d6d-7920-746f-6b65-6e76616c7565"/>
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="app_identity_email"/>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="app_identity_userid" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="app_identity_name" />
        <OutputClaim ClaimTypeReferenceId="authenticationProvider" PartnerClaimType="idp_provider" DefaultValue="local"/>
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

1 answer

James Hamil 22,436 Reputation points Microsoft Employee

2024-05-30T19:05:29.3733333+00:00
Hi @Logesh Palani , sorry for the delay in response. Please try the following and let me know if they work for you.

When the user clicks on the browser back button, the site redirects to the external IDP again. This happens because the history is still present in the window.

To restrict the redirection to the external IDP or ADB2C bad request, you can try using the sessionStorage object. You can store a flag in the sessionStorage object when the user is authenticated successfully and check for the flag when the user clicks on the back button. If the flag is present, you can redirect the user to the home page instead of the external IDP.

Here is an example of how you can use the sessionStorage object:

// Set the flag in sessionStorage when the user is authenticated successfully sessionStorage.setItem('authenticated', 'true'); // Check for the flag when the user clicks on the back button window.addEventListener('popstate', function(event) { if (sessionStorage.getItem('authenticated') === 'true') { sessionStorage.removeItem('authenticated'); window.location.href = '/'; } });

To handle bad request you can catch the OpenIdConnectProtocolException exception and redirect the user to an error page.:

app.UseExceptionHandler(errorApp => { errorApp.Run(async context => { var exception = context.Features.Get<IExceptionHandlerFeature>().Error; if (exception is OpenIdConnectProtocolException) { context.Response.Redirect("/Error"); } }); });

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Azure Adb2c External IDP Authentication Browser Back Button Click redirects to External IDP Again

1 answer