0

I have a B2C tenant setup using the oob sign-up/sign-in user flow working fine. I have also implemented a custom policy to allow the user to change their password when they are already signed in to our application according to this article.

When testing, if I directly navigate to the custom policy endpoint, it first prompts me to sign-in and then takes me to the password change form which works fine. However, in our case since the user is already signed in to our application, we would like to bypass the sign-in form and take the user directly to the password change form. According to this article I can remove the prompt=login in the url and it should bypass the sign-in form if the user is already signed in.

To test this, I first login to my app using the signup/signin user flow and then invoke the custom policy url in the same browser tab session without the prompt=login. It does take me directly to the password change form, however, I get the following error when I try to change the password:

Invalid username or password

I have confirmed that I am entering the correct current password. How can I troubleshoot this and where might the issue be?

Thanks, Param

Julian.Net
  • 157
  • 1
  • 10

1 Answers1

0

This is typical of incorrect setup of custom policies.

Delete the two app registrations: ProxyIEF and IEF apps.

Run the tool to set it up for you: https://aka.ms/iefsetup.

Test sign in works with the custom policy.

Then follow the document you linked again to setup the password change flow. You can download the polices back from the Portal to work with.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • Hi Jas, I followed your steps by deleting the two app registrations and using the tool to perform the base setup of the custom policies. I then followed the steps [here](https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-password-change-policy?msclkid=f8b9e3a3c1a811ecaa8b912510723a65&pivots=b2c-custom-policy) to re-setup the PasswordChange policy. After doing so, the same symptoms persist. If I invoke the flow with the "prompt=login", everything works fine. Without the "prompt=login" in a browser tab session that is already authenticated gives the "Invalid username or password" – Julian.Net Apr 21 '22 at 20:00
  • So I tried signing in using the B2C_1A_SIGNUP_SIGNIN custom policy that was created instead of the B2C_1_SignUp_SignIn user flow I was using and then tried to change the password in the same session and it worked! So this tells me that the Password Change custom policy is expecting some input the user flow is not providing? How can I rectify this? I would generally prefer to use User Flows wherever possible and only use custom policies where needed (e.g. password change) – Julian.Net Apr 21 '22 at 22:19
  • It’s because the claim names across user flow and custom policy are different. So in custom policy, when using the session claims from user flow, the email is null, hence it always gets bad password error when trying to verify the email password combo. Use one or the other. – Jas Suri - MSFT Apr 21 '22 at 23:24
  • Thanks Jas. Too bad I could not have a mix of user flows and custom policies. So I migrated my SignUp/SignIn user flow to a custom policy and it is working now. However, I did notice that if I sign up for a new user account and in that same session attempt to change the password using the ChangePassword custom policy I get the "Invalid username or password" on the change password form. Is this because the output claim names from the signup portion of the user journey is different? – Julian.Net Apr 26 '22 at 22:07
  • Very likely. I think during sign in we use “signInName”, but during signup we use “email”. You could use a “copy claim” claim transformation to copy the “email” claim into “signInName” claim and use SM-AAD session management technical profile to store it into the cookie during the sign up flow – Jas Suri - MSFT Apr 27 '22 at 02:19
  • 1
    Thanks Jas. I was able to add a "CopyClaim" transformation to copy the "email" claim into the "signInName" claim and it worked. – Julian.Net Apr 27 '22 at 22:10
  • @JasSuri-MSFT i struggline with the issue as i cant get rid of the login screen in change password even when i am logged in. Is there a sample app usig change password flow anywhere? – rdhaundiyal Aug 25 '23 at 04:38