0

I'm using the reset password sample from the Azure AD B2C samples repository:

https://github.com/azure-ad-b2c/samples/tree/master/policies/pwd-reset-email-exists

I'm experiencing a timeout/expiry issue in the user journey - below are the reproduction steps:

  1. Enter user email in Forgotten password flow
  2. Click on Send verification code.
  3. User will receive the OTP but do not enter it.
  4. Wait for 10 minutes.
  5. Click on Send new code
  6. Wait for 15 mins and enter the OTP.
  7. Click on Verify Code.

The verification succeeds, but once I click on continue, I should expect to see the password input screen. However, I am simply redirected to the beginning of the user journey and forced to enter my email, and go through the OTP verification again.

If I enter the OTP within minutes of receiving it, there isn't any issue. The issue only occurs after waiting for 10 and 15 minutes respectively. I am suspecting that there is some timeout or session expiration but I couldn't find anything on the documentation which addresses this.

Any help would be appreciated.

bawse
  • 130
  • 4
  • 21
  • @kavyasaraboju-MT I appreciate your answer but unfortunately it has not addressed the issue I'm facing. Your answer seems to apply to the default OTP validity, but I'm not using the default. I have a OTP technical profile with an OTP validity of 30 minutes. – bawse Mar 16 '22 at 10:42

1 Answers1

0

By default ,the expiry time of email verification code is 5 minutes and we can not change it or extend it.

If you need to disable email verification system. You can refer Disable Email verification

Also ,we need to note that when the MFA is activated for the self-service password reset for a SignIn user flow you may have to verify the e-mail twice.

Please check if custom policy for OTP technical profile can be created (if needed) , where we can give CodeExpirationInSeconds

<TechnicalProfile Id="GenerateCode">
  <DisplayName>Generate Code</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.OneTimePasswordProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="Operation">GenerateCode</Item>
    <Item Key="CodeExpirationInSeconds">600</Item>
    <Item Key="CodeLength">6</Item>
    ...
    ...
  </Metadata>
  <InputClaims>
kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • I have already configured a custom OTP technical profile for email verification and the code expiration is set to 30 minutes there. I can't find that quote anywhere on the links/documentation you have linked... – bawse Mar 15 '22 at 15:54
  • Please check [this AAD FAQ](https://learn.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq#:~:text=The%20email%20and%20SMS%20one%2Dtime%20passcode%20are%20valid%20for%205%20minutes%20during%20the%20password%20reset%20session.) – kavyaS Mar 15 '22 at 16:08
  • Does the 15 minute expiry apply even if we have configured an OTP that expires in 30 minutes? This seems a little odd. – bawse Mar 16 '22 at 10:26