question

Guillemss-6558 avatar image
0 Votes"
Guillemss-6558 asked azure-cxp-api edited

Azure AD B2C Custom Policy Redirection

I have an AD B2C custom policy, that basically is a Reset Password and redirection to a React App (SPA), based on this reference: https://medium.com/the-new-control-plane/invoking-the-azure-ad-b2c-custom-policy-journey-with-a-jwt-e9e3ff0560a3

When you reset your password and press accept you are redirected to the React URL app you have specified on the custom policy but the redirection happens to be a post with the Id token to authenticate, but the react app doesn't know how to handle a POST request and returns 500 error code

The policy code is described as follow:

  <UserJourney Id="PasswordResetJWT">
   <OrchestrationSteps>
     <OrchestrationStep Order="1" Type="ClaimsExchange">
       <ClaimsExchanges>
         <ClaimsExchange Id="PasswordResetUsingEmailAddress" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
       </ClaimsExchanges>
     </OrchestrationStep>
     <OrchestrationStep Order="2" Type="ClaimsExchange">
       <ClaimsExchanges>
         <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
       </ClaimsExchanges>
     </OrchestrationStep>
     <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
   </OrchestrationSteps>
   <ClientDefinition ReferenceId="DefaultWeb" />
 </UserJourney>


dotnet-csharpazure-ad-b2c
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, we are investigating your issue and will update you shortly.

Best,
James

0 Votes 0 ·

1 Answer

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered JamesHamil-MSFT commented

Hi @Guillemss-6558

Ideally this would depend on the response_mode of the request. For reference, if using Auth_Code grant flow, its usually form_post (POST) and for Implict_Grant flow, its usually fragment (GET).


Example, consider the following request: GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?
client_id=90a0fe63-bdf2-44c5-8fb7-b8bbc0b29dc6
&response_type=id_token+token
&redirect_uri=https%3A%2F%2Faadb2cplayground.azurewebsites.net%2F
&response_mode=fragment
&scope=openid%20offline_access
&state=arbitrary_data_you_can_receive_in_the_response
&nonce=12345

this is for implicit flow and here you would find no response_mode parameter, but the it would use fragment.: For reference: Single-page sign-in using implicit flow - Azure AD B2C | Microsoft Docs

I hope this helps. Please let me know if you have any other questions.

Best,
James


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Guillemss-6558 , do you still need help with this issue? If not, please mark the appropriate answer as verified.

Thank you,
James

0 Votes 0 ·