question

MaximilianBrgi-8175 avatar image
0 Votes"
MaximilianBrgi-8175 asked JamesTran-MSFT commented

Azure AD B2C - Loss of cookie leads to unhandled 400 error code during flow

The problem first occurred when the flow was started but wasn't completed over night. When pressing any button again in the morning, the page freezes with the error code 400 in the dev tools. But no error is visible since this error isn't handled.
It can be reproduced by deleting the cookie during a flow. But in that case the flow doesn't freeze but a simple html page with the text "Bad Request" is returned.

Is there even any way to fix this on my side? It appears to be a flaw in the framework. Or has anyone got some valuable feedback on this problem?

Thanks in advance :)

azure-ad-b2c
· 6
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image JamesTran-MSFT ·

@MaximilianBrgi-8175
Thank you for your post!

  • Just to clarify, it sounds like you started a User Flow, left it over-night, and after coming back in the morning you received a "Bad Request" or 400 error code when trying to continue with the User Flow?

  • Has the user logged in prior to this issue occurring? Or is this prior to log-in when the user just leaves the User Flow page (i.e. Sign Up/Sign-in)?

  • Have you looked into Configuring your token lifetimes to help with the issue of token's possibly expiring, or modifying your Session behaviors to see if this helps with the page possibly expiring?

182977-image.png



If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·
image.png (72.7 KiB)
MaximilianBrgi-8175 avatar image MaximilianBrgi-8175 ·

Hi @JamesTran-MSFT
Thank you for your answer.

Just to clarify, it sounds like you started a User Flow, left it over-night, and after coming back in the morning you received a "Bad Request" or 400 error code when trying to continue with the User Flow?

That's right. And the same can be reproduced by deleting the cookie during a session and trying to continue with the flow after that. And the B2C framework can't handle this error which leads to unpredictable behaviour. When I click the "sign in" button nothing happens on the site while the network tab shows a 400 error code. When I click a link to sign-up or self-service the site crashes and i receive a simple white html page with the text "Bad request" and on more complicated steps (while validating an OTP) the page freezes with a loading animation which it can't recover from.

H

as the user logged in prior to this issue occurring? Or is this prior to log-in when the user just leaves the User Flow page (i.e. Sign Up/Sign-in)?

No the issue occurs before logging in. But I didn't try it after log-in. But it can happen during the whole CombinedSignInAndSignUp flow.

H

ave you looked into Configuring your token lifetimes to help with the issue of token's possibly expiring, or modifying your Session behaviors to see if this helps with the page possibly expiring?

I am using custom policies and don't have access to this. But I don't have a problem with how long the token is valid but rather with how the framework handles itself after the token has expired.

I hope this answers your question and makes the question a clearer.
0 Votes 0 ·
MaximilianBrgi-8175 avatar image MaximilianBrgi-8175 MaximilianBrgi-8175 ·

Hi @JamesTran-MSFT

I haven't heard from you in a while. Would you have any further advice on this topic? I posted a reply to your questions.

0 Votes 0 ·
JamesTran-MSFT avatar image JamesTran-MSFT MaximilianBrgi-8175 ·

Thank you for following up on this and I apologize for the delayed response!

When it comes to handling the 400 Bad Request error messages, during log-in or through the repro steps you mentioned, you should be able to handle the error through B2C custom policies. I also found a related issue on our GitHub forums and will share the link below as well.

Related Issue:
Azure B2C returning Status 400 (Bad request) when clicking Sign in button after tab is left open from night to day in the Login screen


Additional Links:
Troubleshoot Azure AD B2C custom policies and user flows
Define a validation technical profile
Define an OAuth2 custom error technical profile


I hope this helps!
If you have any other questions, please let me know.

0 Votes 0 ·
Show more comments

0 Answers