问题
In Azure AD B2C, there are separate policies for "Sign-up/Sign-in" and "Password reset". I copy the Metadata Endpoint for the "Sign-up/Sign-in" policy
and paste it into the Azure App Authentication
This basically works, but there is no place to put in the Password reset metadata which has the templates for password reset. I think as a result of this, when you click on "Forgot password", you end up with
You do not have permission to view this directory or page.
at ~/.auth/login/aad/callback when trying to go to /xxx.onmicrosoft.com/B2C_1_b2c_sign_up_sign_in/api/CombinedSigninAndSignup/forgotPassword?csrf_token=xxx&p=B2C_1_b2c_sign_up_sign_in
Why is there no Sign-in/Sign-up/Password Reset?
Also, another strange thing is clicking on Create a new account.
If you press Cancel, again it goes to the callback need permission page.
I downloaded the policies, and the password reset has the following which is NOT in the sign in
<UserJourneys>
<UserJourney Id="B2CPasswordResetV1">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="PasswordResetUsingEmailAddressExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
</OrchestrationSteps>
</UserJourney>
</UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId="B2CPasswordResetV1" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="emails" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
Update. I just found this
When you create a sign-up or sign-in policy (with local accounts), the consumer will see a "Forgot password?" link on the first page of the experience. Clicking on this link doesn't automatically trigger a password reset policy. Instead a specific error code AADB2C90118 is returned back to your app. Your app needs to handle this and invoke a specific password reset policy. A sample that demonstrates this approach of linking together policies is here.
Looks like it gets posted to callback. So it seems that the zumo callback is not able to handle the error. If the zumo callback gets a state/code/id_token, then it goes to done.
回答1:
Unfortunately the integrated App Service support for B2C doesn't allow your app to handle the error callback to redirect to your reset password policy. Your options at this point are:
- Remove the reset password link using custom CSS or
- Configure a custom error handler in web.config which handles the error and allows the end user to invoke your password reset policy by redirecting them to
/.auth/login/aad?p=B2C_1_B2CPasswordResetV1.
I wrote a quick example of #2 in this blog post comment: https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/#comment-581
Here is the web.config snippet I shared which shows how to handle this error and redirect to a static page on your mobile backend:
<configuration>
<system.webServer>
<httpErrors defaultResponseMode="File" errorMode="Custom" >
<clear />
<error statusCode="401" subStatusCode="73" path="MyPage.html" />
</httpErrors>
<system.webServer>
</configuration>
Other response modes are also available, including ExecuteURL and Redirect. One of these may be more appropriate than my example which uses File, depending on your needs. More details on IIS custom errors can be found here: https://www.iis.net/configreference/system.webserver/httperrors#005.
来源:https://stackoverflow.com/questions/42643203/when-using-azure-ad-b2c-with-azure-mobile-apps-how-is-the-password-policy-set