1. 技术文章
  2. AD B2C forceChangePasswordNextLogin for user flow “Sign in v2” doesn't initiate a password reset and prevents a successful login

AD B2C forceChangePasswordNextLogin for user flow “Sign in v2” doesn't initiate a password reset and prevents a successful login

 ̄綄美尐妖づ 提交于 2019-12-12 08:52:40

问题


I am creating new users in Azure AD B2C using the graph client api. The json i send to the api looks like the following:

{
    "creationType": "LocalAccount",
    "passwordProfile": {
        "password": "a:898;keJPpN/69X",
        "forceChangePasswordNextLogin": true
    },
    "passwordPolicies": "DisablePasswordExpiration",
    "objectId": null,
    "accountEnabled": true,
    "displayName": "John Doe",
    "mailNickname": "john.doe",
    "signInNames": [
        {
            "type": "emailAddress",
            "value": "john.doe@provider.com"
        }
    ]
}

The user is then created correctly. However, once I try to login with the newly created user using the flow "Sign in v2", I get the following error message: Invalid username or password. Looking at the sign-in attempts, the failed attempt all failed with

Status: Interrupted
Sign-in error code: 50055
Failure reason: Invalid password, entered expired password.

Starting a "Password reset v2"-flow by clicking "Forgot your password?" does correctly trigger a password reset flow with email confirmation. After entering the sent confirmation code and setting a new password, the login works as expected.

If I set the "forceChangePasswordNextLogin" : false, the first login works as expected. However, in this case the user is not forced to change his one-time-password. So this is not really an option. Also interesting: When using the flow "Sign in" (without v2), everything works as expected and the user is forced to change the password on the first login. However, as this flow does not support custom styling, this is also not an option.

What do I have to do to get the "Sign in v2" flow to correctly trigger a password change on the first login of a user?


回答1:


Rather than setting passwordProfile.forceChangePasswordNextLogin to true, you can create a custom attribute (e.g. ForceResetPasswordNextLogin), set this to true when you create the local account, and then issue this as an application claim from the sign-in policy to your B2C application. After sign-in, if it is set to true, then your B2C application can initiate the password reset policy. After password reset, then your B2C application can set it to false.

You can otherwise consider a custom policy from the starter pack that includes a password change step.



来源:https://stackoverflow.com/questions/55758050/ad-b2c-forcechangepasswordnextlogin-for-user-flow-sign-in-v2-doesnt-initiate

标签
azure
active-directory
azure-active-directory
azure-ad-b2c
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!