Home > Software engineering >  Azure AD B2C Custom Policy Bypass or skip specific phone Number Orchestration flow
Azure AD B2C Custom Policy Bypass or skip specific phone Number Orchestration flow

Time:06-16

We are using Azure AD B2C Phone Number OTP Authentication flow, from that we need to run an automation test for that we need to skip the OTP validation step. below is the B2C_1A_PH_SUSI file code.

<UserJourney Id="PhoneSignInUp">
  <OrchestrationSteps>
    <!--
       Ask the user for the phone number. 
       The ValidationTechnicalProfile tries to read the user from the directory using the phone number
    -->
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="SignIn" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <!-- 
      Verify the phone number via SMS or Callback
     -->
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>isActiveMFASession</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      <ClaimsExchanges>
        <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify-PhoneLogon" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <!-- 
      If the user didn't exist previously, create the object in the directory
    -->
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>objectId</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserWriteUser" TechnicalProfileReferenceId="AAD-UserWriteUsingPhoneNumber" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <!--
      return the JWT token
    -->
    <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>

CodePudding user response:

Presumably, for the automation test, you are using ROPC to log the user in?

In which case, add a precondition around PhoneFactor that checks for the ROPC user and skips the step.

Just give the user a "weird" login name - lots of q/z/x etc. :-) so hard to guess for security.

CodePudding user response:

I found a way to bypass OTP by Adding a Precondition value block give number you want to skip <Value> 91xxxxxxxx</Value> refer below

<!-- 
      Verify the phone number via SMS or Callback
     -->
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>isActiveMFASession</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
        

        <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
          <Value>signinnames.phoneNumber</Value>
          <Value> 91xxxxxxxx</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>

     </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify-PhoneLogon" />
      </ClaimsExchanges>
    </OrchestrationStep>
  • Related