I have built a custom user flow in Azure AD B2C. It is almost a direct copy of this sample policy for doing JIT migration of users: https://github.com/azure-ad-b2c/user-migration/tree/master/jit-migration-v2.
I have disabled Facebook, Google, sign-up & password reset. This leaves me with a simple sign-in form. Signing in with a user the first time will successfully migrate the user to Azure AD B2C. Signing in with the same user a second time is however showing me the error The username or password provided in the request are invalid. I tried numerous times – including getting Chrome to autofill the credentials, and I am certain that the credentials are correct (and the same credentials were used with the initial sign-in).
I tried adding a standard SignUpSignIn user flow, and with this flow, I am able to sign in correctly with the same user credentials that were just migrated to the directory. So, the password must have been saved correctly.
I must have messed something up in my custom flow, which breaks the login-NonInteractive validation technical profile (I guess). I tried comparing my files with the sample files, but I can’t spot the problem 🙁
Any help is much appreciated.
SignUpOrSignIn.xml: https://pastebin.com/M1iYaAFU
TrustFrameworkExtension.xml: https://pastebin.com/psA0mNKH
TrustFrameworkBase.xml: https://pastebin.com/xZy8VfDE
(unfortunately, I could not include all the files in the question text, as it would exceed the max question length, so I had to put them on Pastebin)
UPDATE
Here is the log from Application Insights:
[
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "403025e3-e919-4662-a000-e98e874947fa",
"EventInstance": "Event:SELFASSERTED",
"TenantId": "likvidostaging.onmicrosoft.com",
"PolicyId": "B2C_1A_JITMigraion_signup_signin"
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "SELFASSERTED",
"StateName": "Initial"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.CrossSiteRequestForgeryValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"MACHSTATE": {
"c": "2022-06-03T07:43:31.7243667Z",
"k": "MACHSTATE",
"v": "Initial",
"p": true
},
"JC": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "JC",
"v": "en-US",
"p": true
},
"Complex-CLMS": {
"passwordPolicies": "DisablePasswordExpiration, DisableStrongPassword"
},
"ORCH_CS": {
"c": "2022-06-03T07:43:33.6955832Z",
"k": "ORCH_CS",
"v": "1",
"p": true
},
"ORCH_IDX": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "ORCH_IDX",
"v": "0",
"p": true
},
"RA": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "RA",
"v": "0",
"p": true
},
"RPP": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "RPP",
"v": "OAUTH2",
"p": true
},
"RPIPP": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "RPIPP",
"v": "OAuth2ProtocolProvider",
"p": true
},
"OTID": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "OTID",
"v": "likvidostaging.onmicrosoft.com",
"p": true
},
"APPMV": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "APPMV",
"v": "V2",
"p": true
},
"IC": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "IC",
"v": "True",
"p": true
},
"MSG(81f99852-33b6-41f3-87fd-506d1b2e6d41)": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "MSG(81f99852-33b6-41f3-87fd-506d1b2e6d41)",
"v": "{"TenantId":"likvidostaging.onmicrosoft.com","PolicyId":"B2C_1A_JITMigraion_signup_signin","RedirectUri":"https://jwt.ms/","AdditionalParameters":{"p":"B2C_1A_JITMIGRAION_SIGNUP_SIGNIN"},"Nonce":"defaultNonce","ClientId":"bc1ad362-fd3c-4f02-9922-231ed9b1fdb8","ResponseType":"code","ResponseRedirector":{"URI":"https://jwt.ms","D":false,"WF":true,"R":false},"Scope":"openid","AppModelVersion":1,"ScopedProviders":[]}",
"p": true,
"t": "OAuth2"
},
"IMESSAGE": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "IMESSAGE",
"v": "81f99852-33b6-41f3-87fd-506d1b2e6d41",
"p": true
},
"EID": {
"c": "2022-06-03T07:43:31.7087357Z",
"k": "EID",
"v": "urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0",
"p": true
},
"CMESSAGE": {
"c": "2022-06-03T07:43:33.6955832Z",
"k": "CMESSAGE",
"v": "81f99852-33b6-41f3-87fd-506d1b2e6d41",
"p": true
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX"
},
"PredicateResult": "True"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsDisplayControlActionRequestHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimVerificationRequestHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.SelfAssertedMessageValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"RecorderRecord": {
"Values": [
{
"Key": "Validation",
"Value": {
"Values": [
{
"Key": "SubmittedBy",
"Value": null
},
{
"Key": "ProtocolProviderType",
"Value": "SelfAssertedAttributeProvider"
},
{
"Key": "TechnicalProfileEnabled",
"Value": {
"EnabledRule": "Always",
"EnabledResult": true,
"TechnicalProfile": "REST-UserMigration-LocalAccount-SignIn"
}
},
{
"Key": "ValidationTechnicalProfile",
"Value": {
"Values": [
{
"Key": "TechnicalProfileId",
"Value": "REST-UserMigration-LocalAccount-SignIn"
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "signInName",
"PolicyClaimType": "signInName"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "password",
"PolicyClaimType": "password"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "useInputPassword",
"PolicyClaimType": "useInputPassword"
}
}
]
}
},
{
"Key": "Precondition",
"Value": {
"$id": "1",
"Type": 1,
"ExecuteActionsIf": true,
"ActionTypes": [
1
],
"Values": [
"needToMigrate",
"local"
]
}
},
{
"Key": "TechnicalProfileEnabled",
"Value": {
"EnabledRule": "Always",
"EnabledResult": true,
"TechnicalProfile": "login-NonInteractive"
}
},
{
"Key": "ValidationTechnicalProfile",
"Value": {
"Values": [
{
"Key": "TechnicalProfileId",
"Value": "login-NonInteractive"
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "client_id",
"PolicyClaimType": "client_id"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "resource",
"PolicyClaimType": "resource_id"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "username",
"PolicyClaimType": "signInName"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "password",
"PolicyClaimType": "password"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "grant_type",
"PolicyClaimType": "grant_type"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "scope",
"PolicyClaimType": "scope"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "nca",
"PolicyClaimType": "nca"
}
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "The username or password provided in the request are invalid.",
"Data": {
"IsPolicySpecificError": false
}
}
}
]
}
}
]
}
}
]
},
"Statebag": {
"SE": {
"c": "2022-06-03T07:43:42.3832546Z",
"k": "SE",
"v": "Self-asserted_local",
"p": true
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX, S_CTP, M_EXCP"
},
"Exception": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "The username or password provided in the request are invalid.",
"Data": {
"IsPolicySpecificError": false
}
},
"PredicateResult": "False"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.SendRetryHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
}
]
2
Answers
OK, I decided to redo my app registration setup, and strictly follow this guide: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-identity-experience-framework-applications
Previously, I had not used the names
IdentityExperienceFrameworkandProxyIdentityExperienceFrameworkfor the apps, as I thought I could name them according to my use-case, so I had named themMobileAppApi(IdentityExperienceFramework) andMobileApp(ProxyIdentityExperienceFramework). So now, in addition to theMobileAppApiandMobileAppapp registrations, I also added theIdentityExperienceFrameworkandProxyIdentityExperienceFrameworkby following the guide. I updated myTrustFrameworkExtensions.xmlto use the app id's for these new apps, and re-tried signing in. I was a bit confused as to why I could not select either of the newIdentityExperienceFrameworkorProxyIdentityExperienceFrameworkapps when running the custom SignUpSignIn policy, so then I just picked theMobileAppapplication I has from before.... NOW signing in worked 🤯So, it seems like those
IdentityExperienceFrameworkandProxyIdentityExperienceFrameworkare some "magic" app registrations you just have to always add.This problem is usually caused by configuring incorrect clientID etc. in the extension file, either for the standard configuration or extension attributes.
Using this utility will avoid that.