I am trying to send a user's email and password to a REST API as a part of the Forgot Password custom policy user journey. This serves a business need for us, as we are doing a staggered release of the B2C Client and need to temporarily keep our IDP's in sync.
I have got this sample custom policy to work except for the email address. password is sending properly.
https://github.com/azure-ad-b2c/samples/tree/master/policies/store-three-letters-of-the-password
Here is the technical profile I wrote:
<TechnicalProfile Id="AAD-SyncPassword">
<DisplayName>Update Password</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://ourapi/api/v1/Identity/UpdatePW</Item>
<Item Key="AuthenticationType">ApiKeyHeader</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AllowInsecureAuthInProduction">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="SPECIAL-KEY-HEADER" StorageReferenceId="B2C_1A_RestApiKey"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" Required="true" /> <!-- DOESN'T WORK -->
<InputClaim ClaimTypeReferenceId="userPrincipalName"/> <!-- WORKS -->
<InputClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password"/> <!-- WORKS -->
</InputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
This is included as a Validation Technical Profile in
<TechnicalProfile Id="LocalAccountWritePasswordUsingObjectId">
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="Get-requiresMigration-status-password-reset" ContinueOnError="false" />
<ValidationTechnicalProfile ReferenceId="AAD-FlipMigratedFlag" ContinueOnError="false">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>requiresMigration</Value>
<Value>False</Value>
<Action>SkipThisValidationTechnicalProfile</Action>
</Precondition>
</Preconditions>
</ValidationTechnicalProfile>
<ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId"/> <!-- Attempt to get email-->
<ValidationTechnicalProfile ReferenceId="AAD-SyncPassword"/>
<ValidationTechnicalProfile ReferenceId="AAD-UserWritePasswordUsingObjectId" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
I understand that in order to access the value as an Input Claim it must be an Output Claim of a previous step (or maybe I don't understand apparently). We have a previous step already "AAD-FlipMigratedFlag" that outputs userPrincipalName although this isn't the value we need. I attempted to get the email by calling "AAD-UserReadUsingObjectId" to get email but this did not work as I still only see 'password' on the request body.
Here is the "AAD-UserReadUsingObjectId" profile from the starter park:
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<Metadata>
<Item Key="Operation">Read</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" Required="true" />
</InputClaims>
<OutputClaims>
<!-- Optional claims -->
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
<!--<OutputClaim ClaimTypeReferenceId="displayName" />-->
<OutputClaim ClaimTypeReferenceId="otherMails" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
How do I get the user's email address sent to our REST API as a part of this Forgot Password User Journey?
CodePudding user response:
In "AAD-UserReadUsingObjectId", change:
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
to:
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />