I have built a custom user flow in Azure AD B2C. It is almost a direct copy of this sample policy for doing JIT migration of users: https://github.com/azure-ad-b2c/user-migration/tree/master/jit-migration-v2.
I have disabled Facebook, Google, sign-up & password reset. This leaves me with a simple sign-in form. Signing in with a user the first time will successfully migrate the user to Azure AD B2C. Signing in with the same user a second time is however showing me the error The username or password provided in the request are invalid.
I tried numerous times - including getting Chrome to autofill the credentials, and I am certain that the credentials are correct (and the same credentials were used with the initial sign-in).
I tried adding a standard SignUpSignIn
user flow, and with this flow, I am able to sign in correctly with the same user credentials that were just migrated to the directory. So, the password must have been saved correctly.
I must have messed something up in my custom flow, which breaks the login-NonInteractive
validation technical profile (I guess). I tried comparing my files with the sample files, but I can't spot the problem :(
Any help is much appreciated.
SignUpOrSignIn.xml: https://pastebin.com/M1iYaAFU
TrustFrameworkExtension.xml: https://pastebin.com/psA0mNKH
TrustFrameworkBase.xml: https://pastebin.com/xZy8VfDE
(unfortunately, I could not include all the files in the question text, as it would exceed the max question length, so I had to put them on Pastebin)
UPDATE
Here is the log from Application Insights:
[
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "403025e3-e919-4662-a000-e98e874947fa",
"EventInstance": "Event:SELFASSERTED",
"TenantId": "likvidostaging.onmicrosoft.com",
"PolicyId": "B2C_1A_JITMigraion_signup_signin"
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "SELFASSERTED",
"StateName": "Initial"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.CrossSiteRequestForgeryValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"MACHSTATE": {
"c": "2022-06-03T07:43:31.7243667Z",
"k": "MACHSTATE",
"v": "Initial",
"p": true
},
"JC": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "JC",
"v": "en-US",
"p": true
},
"Complex-CLMS": {
"passwordPolicies": "DisablePasswordExpiration, DisableStrongPassword"
},
"ORCH_CS": {
"c": "2022-06-03T07:43:33.6955832Z",
"k": "ORCH_CS",
"v": "1",
"p": true
},
"ORCH_IDX": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "ORCH_IDX",
"v": "0",
"p": true
},
"RA": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "RA",
"v": "0",
"p": true
},
"RPP": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "RPP",
"v": "OAUTH2",
"p": true
},
"RPIPP": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "RPIPP",
"v": "OAuth2ProtocolProvider",
"p": true
},
"OTID": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "OTID",
"v": "likvidostaging.onmicrosoft.com",
"p": true
},
"APPMV": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "APPMV",
"v": "V2",
"p": true
},
"IC": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "IC",
"v": "True",
"p": true
},
"MSG(81f99852-33b6-41f3-87fd-506d1b2e6d41)": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "MSG(81f99852-33b6-41f3-87fd-506d1b2e6d41)",
"v": "{\"TenantId\":\"likvidostaging.onmicrosoft.com\",\"PolicyId\":\"B2C_1A_JITMigraion_signup_signin\",\"RedirectUri\":\"https://jwt.ms/\",\"AdditionalParameters\":{\"p\":\"B2C_1A_JITMIGRAION_SIGNUP_SIGNIN\"},\"Nonce\":\"defaultNonce\",\"ClientId\":\"bc1ad362-fd3c-4f02-9922-231ed9b1fdb8\",\"ResponseType\":\"code\",\"ResponseRedirector\":{\"URI\":\"https://jwt.ms\",\"D\":false,\"WF\":true,\"R\":false},\"Scope\":\"openid\",\"AppModelVersion\":1,\"ScopedProviders\":[]}",
"p": true,
"t": "OAuth2"
},
"IMESSAGE": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "IMESSAGE",
"v": "81f99852-33b6-41f3-87fd-506d1b2e6d41",
"p": true
},
"EID": {
"c": "2022-06-03T07:43:31.7087357Z",
"k": "EID",
"v": "urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0",
"p": true
},
"CMESSAGE": {
"c": "2022-06-03T07:43:33.6955832Z",
"k": "CMESSAGE",
"v": "81f99852-33b6-41f3-87fd-506d1b2e6d41",
"p": true
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX"
},
"PredicateResult": "True"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsDisplayControlActionRequestHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimVerificationRequestHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.SelfAssertedMessageValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"RecorderRecord": {
"Values": [
{
"Key": "Validation",
"Value": {
"Values": [
{
"Key": "SubmittedBy",
"Value": null
},
{
"Key": "ProtocolProviderType",
"Value": "SelfAssertedAttributeProvider"
},
{
"Key": "TechnicalProfileEnabled",
"Value": {
"EnabledRule": "Always",
"EnabledResult": true,
"TechnicalProfile": "REST-UserMigration-LocalAccount-SignIn"
}
},
{
"Key": "ValidationTechnicalProfile",
"Value": {
"Values": [
{
"Key": "TechnicalProfileId",
"Value": "REST-UserMigration-LocalAccount-SignIn"
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "signInName",
"PolicyClaimType": "signInName"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "password",
"PolicyClaimType": "password"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "useInputPassword",
"PolicyClaimType": "useInputPassword"
}
}
]
}
},
{
"Key": "Precondition",
"Value": {
"$id": "1",
"Type": 1,
"ExecuteActionsIf": true,
"ActionTypes": [
1
],
"Values": [
"needToMigrate",
"local"
]
}
},
{
"Key": "TechnicalProfileEnabled",
"Value": {
"EnabledRule": "Always",
"EnabledResult": true,
"TechnicalProfile": "login-NonInteractive"
}
},
{
"Key": "ValidationTechnicalProfile",
"Value": {
"Values": [
{
"Key": "TechnicalProfileId",
"Value": "login-NonInteractive"
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "client_id",
"PolicyClaimType": "client_id"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "resource",
"PolicyClaimType": "resource_id"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "username",
"PolicyClaimType": "signInName"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "password",
"PolicyClaimType": "password"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "grant_type",
"PolicyClaimType": "grant_type"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "scope",
"PolicyClaimType": "scope"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "nca",
"PolicyClaimType": "nca"
}
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "The username or password provided in the request are invalid.",
"Data": {
"IsPolicySpecificError": false
}
}
}
]
}
}
]
}
}
]
},
"Statebag": {
"SE": {
"c": "2022-06-03T07:43:42.3832546Z",
"k": "SE",
"v": "Self-asserted_local",
"p": true
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX, S_CTP, M_EXCP"
},
"Exception": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "The username or password provided in the request are invalid.",
"Data": {
"IsPolicySpecificError": false
}
},
"PredicateResult": "False"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.SendRetryHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
}
]
CodePudding user response:
This problem is usually caused by configuring incorrect clientID etc. in the extension file, either for the standard configuration or extension attributes.
Using this utility will avoid that.
CodePudding user response:
OK, I decided to redo my app registration setup, and strictly follow this guide: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-identity-experience-framework-applications
Previously, I had not used the names IdentityExperienceFramework
and ProxyIdentityExperienceFramework
for the apps, as I thought I could name them according to my use-case, so I had named them MobileAppApi
(IdentityExperienceFramework) and MobileApp
(ProxyIdentityExperienceFramework). So now, in addition to the MobileAppApi
and MobileApp
app registrations, I also added the IdentityExperienceFramework
and ProxyIdentityExperienceFramework
by following the guide. I updated my TrustFrameworkExtensions.xml
to use the app id's for these new apps, and re-tried signing in. I was a bit confused as to why I could not select either of the new IdentityExperienceFramework
or ProxyIdentityExperienceFramework
apps when running the custom SignUpSignIn policy, so then I just picked the MobileApp
application I has from before.... NOW signing in worked