2

In the sample that links a Federated login against a pre-created Local Account. If a user does not exist, then an exception is thrown.

This redirects to https://<host>/MicrosoftIdentity/Account/Error

Which, as far as I understand, is this page here

At this stage, I assume there are two possibilities, either:

  1. Customise the error page (somehow); or
  2. Change the Custom Policy so that it doesn't throw an exception and shows a self-asserted page instead (preventing SendClaims)

With regards to option 1, I've tried to find documentation on how I might trap the error or customise this page - but I haven't found anything so far. There is documentation in asp.net core with regards to creating a custom error page - but it doesn't seem to apply in this case:

if (app.Environment.IsDevelopment())
{
    //app.UseDeveloperExceptionPage();
    app.UseExceptionHandler("/Error");
}

With regards to option 2, I tried changing the AAD-FindB2CUserWithAADOid technical profile so that RaiseErrorIfClaimsPrincipalDoesNotExist is false:

        <TechnicalProfile Id="AAD-FindB2CUserWithAADOid">
          <Metadata>
            <Item Key="Operation">Read</Item>
            <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>
            <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item>
          </Metadata>
          <IncludeInSso>false</IncludeInSso>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="signInNames.oidToLink" Required="true" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="objectId"/>
            <OutputClaim ClaimTypeReferenceId="extension_requiresMigrationBool"/>
            <!-- account flagged for linking -->
          </OutputClaims>
          <IncludeTechnicalProfile ReferenceId="AAD-Common" />
        </TechnicalProfile>

But that resulted in a genuine exception - the api call becomes malformed. I'm not sure why this would be the case.

For this particular circumstance, I'd like to display an Access Denied message. But it would be nice if I could create a stylised page for any Account Error.

Is either strategy okay? Am I missing something?

Mitkins
  • 4,031
  • 3
  • 40
  • 77

1 Answers1

0

I've introduced the following to my Program.cs:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp( options => {
        builder.Configuration.GetSection( "AzureB2C" ).Bind( options );

        options.Events = new OpenIdConnectEvents
        {
            OnRemoteFailure = context =>
            {
                if (context.Failure?.Message.ToUpper().Contains("AADB2C99002") == true)
                {
                    context.Response.Redirect("/account-access");
                    context.HandleResponse();

                    return Task.FromResult(0);
                }

                return Task.CompletedTask;
            }
        };
    });

In the case where the user isn't found (in my case, they haven't been pre-created) then they'll be shown the "Access Denied" page. Which means other errors will come through as they always have.

I'm still not sure if this is an acceptable solution.

Mitkins
  • 4,031
  • 3
  • 40
  • 77