1

We are trying to do Just In Time migration with the 'SubJourney' based password reset (e.g. forgot your password).

I need to be able to migrate the user prior to resetting their password via a REST call. However, when I add the entry for our ValidationTechnicalProfile REST call

<ValidationTechnicalProfile ReferenceId="REST-UserMigration-LocalAccount-LoalAccountUserExsist"/>

the UI changes. The email verification steps (enter email, verify code) just disappear, leaving me with enter password boxes.

It goes from this:

Correct Email Verification

To this:

Just password change boxes

The only change is the addition of the ValidationTechnicalProfile Entry

<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress-Migration">
  <DisplayName>Reset password using email address</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
    <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>                       
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <IncludeInSso>false</IncludeInSso>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />                   
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" />            
  </OutputClaims>
  <ValidationTechnicalProfiles> 
     <!--- Adding and removing this line --->
    <ValidationTechnicalProfile ReferenceId="REST-UserMigration-LocalAccount-LoalAccountUserExsist"/>        

    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress"/>    

  </ValidationTechnicalProfiles>
  
</TechnicalProfile>               

<TechnicalProfile Id="REST-UserMigration-LocalAccount-LoalAccountUserExsist">
    <DisplayName>Migrate user password flow</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
    <Item Key="ServiceUrl">https://somefunctapp-rest-api.azurewebsites.net/api/MigrateIfExists?code=ugqr4ESgMENWlRdILvuOWkksuLy-zoPm76stOuiHFtzFAzzuiHFKcw==</Item>
    <Item Key="AuthenticationType">None</Item>
    <Item Key="SendClaimsIn">Body</Item>
    <Item Key="AllowInsecureAuthInProduction">True</Item>
    </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="signInName" />
    <InputClaim ClaimTypeReferenceId="password" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="migrationRequired" />
    <OutputClaim ClaimTypeReferenceId="email" />
    <OutputClaim ClaimTypeReferenceId="newPassword" />
    <OutputClaim ClaimTypeReferenceId="displayName" />
    <OutputClaim ClaimTypeReferenceId="givenName" />
    <OutputClaim ClaimTypeReferenceId="surName" />
    <OutputClaim ClaimTypeReferenceId="sub" PartnerClaimType="userId" />
    <OutputClaim ClaimTypeReferenceId="trueValue" DefaultValue="true"/>
  </OutputClaims>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>  

<SubJourney Id="PasswordReset-Mine" Type="Call">
  <OrchestrationSteps>
    <!-- Validate user's email address. Run this step only when user resets the password-->
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress-Migration" />
      </ClaimsExchanges>
    </OrchestrationStep>

    <!-- Collect and persist a new password. Run this step only when user resets the password-->
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
  </OrchestrationSteps>
</SubJourney>

What am I doing wrong? Happy to provide any additional information or screen shots.

Sen
  • 1,438
  • 2
  • 12
  • 19

2 Answers2

1

Display claims mitigates these strange 'disappearing' behaviors. Output claims can have unexpected behaviors when the value exists in the claim bag. My recommendation is converting your output claims to display claims and see if this fixes the behavior before continuing investing the issue.

Chad Hasbrook
  • 206
  • 1
  • 6
  • Do you know of any examples showing the display claims for email verification for "forgot your password"? – Sen Oct 08 '22 at 14:46
  • For others, I found this to be helpful: https://github.com/azure-ad-b2c/samples/tree/master/policies/pwd-reset-email-exists. Switching to DisplayControls did resolve the disapearing control issue. – Sen Oct 10 '22 at 19:30
0

In selfAsserted technical profiles, Only the output claims which are not output from validation technical profiles are displayed to the user. In your case, REST-UserMigration-LocalAccount-LoalAccountUserExsist has email in the output claims. Hence it won't be displayed to the user to enter information.

A good solution to such problems are to use display claims for displaying the claims to the user along with output claims.

Please refer to the docs here. Define a self-asserted technical profile in an Azure Active Directory B2C custom policy - Display Claims.

sabique
  • 223
  • 1
  • 7
  • The issue I'm having isn't so much with the 'email not being displayed' as the loss of the 'verify email address with code' functionality (which includes the box and buttons). I'm also not trying to change any of the UI elements, just use the existing flow. Even adding `ContinueOnError="true"` to AAD-UserReadUsingEmailAddress causes the above change in UI. – Sen Oct 05 '22 at 19:14