I have built a custom user flow in Azure AD B2C. It is almost a direct copy of this sample policy for doing JIT migration of users: https://github.com/azure-ad-b2c/user-migration/tree/master/jit-migration-v2.
I have disabled Facebook, Google, sign-up & password reset. This leaves me with a simple sign-in form. Signing in with a user the first time will successfully migrate the user to Azure AD B2C. Signing in with the same user a second time is however showing me the error The username or password provided in the request are invalid. I tried numerous times - including getting Chrome to autofill the credentials, and I am certain that the credentials are correct (and the same credentials were used with the initial sign-in).
I tried adding a standard SignUpSignIn user flow, and with this flow, I am able to sign in correctly with the same user credentials that were just migrated to the directory. So, the password must have been saved correctly.
I must have messed something up in my custom flow, which breaks the login-NonInteractive validation technical profile (I guess). I tried comparing my files with the sample files, but I can't spot the problem :(
Any help is much appreciated.
SignUpOrSignIn.xml: https://pastebin.com/M1iYaAFU
TrustFrameworkExtension.xml: https://pastebin.com/psA0mNKH
TrustFrameworkBase.xml: https://pastebin.com/xZy8VfDE
(unfortunately, I could not include all the files in the question text, as it would exceed the max question length, so I had to put them on Pastebin)
UPDATE
Here is the log from Application Insights:
[
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "403025e3-e919-4662-a000-e98e874947fa",
"EventInstance": "Event:SELFASSERTED",
"TenantId": "likvidostaging.onmicrosoft.com",
"PolicyId": "B2C_1A_JITMigraion_signup_signin"
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "SELFASSERTED",
"StateName": "Initial"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.CrossSiteRequestForgeryValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"MACHSTATE": {
"c": "2022-06-03T07:43:31.7243667Z",
"k": "MACHSTATE",
"v": "Initial",
"p": true
},
"JC": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "JC",
"v": "en-US",
"p": true
},
"Complex-CLMS": {
"passwordPolicies": "DisablePasswordExpiration, DisableStrongPassword"
},
"ORCH_CS": {
"c": "2022-06-03T07:43:33.6955832Z",
"k": "ORCH_CS",
"v": "1",
"p": true
},
"ORCH_IDX": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "ORCH_IDX",
"v": "0",
"p": true
},
"RA": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "RA",
"v": "0",
"p": true
},
"RPP": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "RPP",
"v": "OAUTH2",
"p": true
},
"RPIPP": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "RPIPP",
"v": "OAuth2ProtocolProvider",
"p": true
},
"OTID": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "OTID",
"v": "likvidostaging.onmicrosoft.com",
"p": true
},
"APPMV": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "APPMV",
"v": "V2",
"p": true
},
"IC": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "IC",
"v": "True",
"p": true
},
"MSG(81f99852-33b6-41f3-87fd-506d1b2e6d41)": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "MSG(81f99852-33b6-41f3-87fd-506d1b2e6d41)",
"v": "{\"TenantId\":\"likvidostaging.onmicrosoft.com\",\"PolicyId\":\"B2C_1A_JITMigraion_signup_signin\",\"RedirectUri\":\"https://jwt.ms/\",\"AdditionalParameters\":{\"p\":\"B2C_1A_JITMIGRAION_SIGNUP_SIGNIN\"},\"Nonce\":\"defaultNonce\",\"ClientId\":\"bc1ad362-fd3c-4f02-9922-231ed9b1fdb8\",\"ResponseType\":\"code\",\"ResponseRedirector\":{\"URI\":\"https://jwt.ms\",\"D\":false,\"WF\":true,\"R\":false},\"Scope\":\"openid\",\"AppModelVersion\":1,\"ScopedProviders\":[]}",
"p": true,
"t": "OAuth2"
},
"IMESSAGE": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "IMESSAGE",
"v": "81f99852-33b6-41f3-87fd-506d1b2e6d41",
"p": true
},
"EID": {
"c": "2022-06-03T07:43:31.7087357Z",
"k": "EID",
"v": "urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0",
"p": true
},
"CMESSAGE": {
"c": "2022-06-03T07:43:33.6955832Z",
"k": "CMESSAGE",
"v": "81f99852-33b6-41f3-87fd-506d1b2e6d41",
"p": true
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX"
},
"PredicateResult": "True"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsDisplayControlActionRequestHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimVerificationRequestHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.SelfAssertedMessageValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"RecorderRecord": {
"Values": [
{
"Key": "Validation",
"Value": {
"Values": [
{
"Key": "SubmittedBy",
"Value": null
},
{
"Key": "ProtocolProviderType",
"Value": "SelfAssertedAttributeProvider"
},
{
"Key": "TechnicalProfileEnabled",
"Value": {
"EnabledRule": "Always",
"EnabledResult": true,
"TechnicalProfile": "REST-UserMigration-LocalAccount-SignIn"
}
},
{
"Key": "ValidationTechnicalProfile",
"Value": {
"Values": [
{
"Key": "TechnicalProfileId",
"Value": "REST-UserMigration-LocalAccount-SignIn"
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "signInName",
"PolicyClaimType": "signInName"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "password",
"PolicyClaimType": "password"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "useInputPassword",
"PolicyClaimType": "useInputPassword"
}
}
]
}
},
{
"Key": "Precondition",
"Value": {
"$id": "1",
"Type": 1,
"ExecuteActionsIf": true,
"ActionTypes": [
1
],
"Values": [
"needToMigrate",
"local"
]
}
},
{
"Key": "TechnicalProfileEnabled",
"Value": {
"EnabledRule": "Always",
"EnabledResult": true,
"TechnicalProfile": "login-NonInteractive"
}
},
{
"Key": "ValidationTechnicalProfile",
"Value": {
"Values": [
{
"Key": "TechnicalProfileId",
"Value": "login-NonInteractive"
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "client_id",
"PolicyClaimType": "client_id"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "resource",
"PolicyClaimType": "resource_id"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "username",
"PolicyClaimType": "signInName"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "password",
"PolicyClaimType": "password"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "grant_type",
"PolicyClaimType": "grant_type"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "scope",
"PolicyClaimType": "scope"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "nca",
"PolicyClaimType": "nca"
}
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "The username or password provided in the request are invalid.",
"Data": {
"IsPolicySpecificError": false
}
}
}
]
}
}
]
}
}
]
},
"Statebag": {
"SE": {
"c": "2022-06-03T07:43:42.3832546Z",
"k": "SE",
"v": "Self-asserted_local",
"p": true
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX, S_CTP, M_EXCP"
},
"Exception": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "The username or password provided in the request are invalid.",
"Data": {
"IsPolicySpecificError": false
}
},
"PredicateResult": "False"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.SendRetryHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
}
]
CodePudding user response:
This problem is usually caused by configuring incorrect clientID etc. in the extension file, either for the standard configuration or extension attributes.
Using this utility will avoid that.
CodePudding user response:
OK, I decided to redo my app registration setup, and strictly follow this guide: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-identity-experience-framework-applications
Previously, I had not used the names IdentityExperienceFramework and ProxyIdentityExperienceFramework for the apps, as I thought I could name them according to my use-case, so I had named them MobileAppApi (IdentityExperienceFramework) and MobileApp (ProxyIdentityExperienceFramework). So now, in addition to the MobileAppApi and MobileApp app registrations, I also added the IdentityExperienceFramework and ProxyIdentityExperienceFramework by following the guide. I updated my TrustFrameworkExtensions.xml to use the app id's for these new apps, and re-tried signing in. I was a bit confused as to why I could not select either of the new IdentityExperienceFramework or ProxyIdentityExperienceFramework apps when running the custom SignUpSignIn policy, so then I just picked the MobileApp application I has from before.... NOW signing in worked