I have built a custom user flow in Azure AD B2C. It is almost a direct copy of this sample policy for doing JIT migration of users: https://github.com/azure-ad-b2c/user-migration/tree/master/jit-migration-v2.
I have disabled Facebook, Google, sign-up & password reset. This leaves me with a simple sign-in form. Signing in with a user the first time will successfully migrate the user to Azure AD B2C. Signing in with the same user a second time is however showing me the error The username or password provided in the request are invalid.
I tried numerous times – including getting Chrome to autofill the credentials, and I am certain that the credentials are correct (and the same credentials were used with the initial sign-in).
I tried adding a standard SignUpSignIn
user flow, and with this flow, I am able to sign in correctly with the same user credentials that were just migrated to the directory. So, the password must have been saved correctly.
I must have messed something up in my custom flow, which breaks the login-NonInteractive
validation technical profile (I guess). I tried comparing my files with the sample files, but I can’t spot the problem 🙁
Any help is much appreciated.
SignUpOrSignIn.xml: https://pastebin.com/M1iYaAFU
TrustFrameworkExtension.xml: https://pastebin.com/psA0mNKH
TrustFrameworkBase.xml: https://pastebin.com/xZy8VfDE
(unfortunately, I could not include all the files in the question text, as it would exceed the max question length, so I had to put them on Pastebin)
UPDATE
Here is the log from Application Insights:
[
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "403025e3-e919-4662-a000-e98e874947fa",
"EventInstance": "Event:SELFASSERTED",
"TenantId": "likvidostaging.onmicrosoft.com",
"PolicyId": "B2C_1A_JITMigraion_signup_signin"
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "SELFASSERTED",
"StateName": "Initial"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.CrossSiteRequestForgeryValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"MACHSTATE": {
"c": "2022-06-03T07:43:31.7243667Z",
"k": "MACHSTATE",
"v": "Initial",
"p": true
},
"JC": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "JC",
"v": "en-US",
"p": true
},
"Complex-CLMS": {
"passwordPolicies": "DisablePasswordExpiration, DisableStrongPassword"
},
"ORCH_CS": {
"c": "2022-06-03T07:43:33.6955832Z",
"k": "ORCH_CS",
"v": "1",
"p": true
},
"ORCH_IDX": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "ORCH_IDX",
"v": "0",
"p": true
},
"RA": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "RA",
"v": "0",
"p": true
},
"RPP": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "RPP",
"v": "OAUTH2",
"p": true
},
"RPIPP": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "RPIPP",
"v": "OAuth2ProtocolProvider",
"p": true
},
"OTID": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "OTID",
"v": "likvidostaging.onmicrosoft.com",
"p": true
},
"APPMV": {
"c": "2022-06-03T07:43:31.5681012Z",
"k": "APPMV",
"v": "V2",
"p": true
},
"IC": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "IC",
"v": "True",
"p": true
},
"MSG(81f99852-33b6-41f3-87fd-506d1b2e6d41)": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "MSG(81f99852-33b6-41f3-87fd-506d1b2e6d41)",
"v": "{"TenantId":"likvidostaging.onmicrosoft.com","PolicyId":"B2C_1A_JITMigraion_signup_signin","RedirectUri":"https://jwt.ms/","AdditionalParameters":{"p":"B2C_1A_JITMIGRAION_SIGNUP_SIGNIN"},"Nonce":"defaultNonce","ClientId":"bc1ad362-fd3c-4f02-9922-231ed9b1fdb8","ResponseType":"code","ResponseRedirector":{"URI":"https://jwt.ms","D":false,"WF":true,"R":false},"Scope":"openid","AppModelVersion":1,"ScopedProviders":[]}",
"p": true,
"t": "OAuth2"
},
"IMESSAGE": {
"c": "2022-06-03T07:43:31.6931571Z",
"k": "IMESSAGE",
"v": "81f99852-33b6-41f3-87fd-506d1b2e6d41",
"p": true
},
"EID": {
"c": "2022-06-03T07:43:31.7087357Z",
"k": "EID",
"v": "urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0",
"p": true
},
"CMESSAGE": {
"c": "2022-06-03T07:43:33.6955832Z",
"k": "CMESSAGE",
"v": "81f99852-33b6-41f3-87fd-506d1b2e6d41",
"p": true
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX"
},
"PredicateResult": "True"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsDisplayControlActionRequestHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimVerificationRequestHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.SelfAssertedMessageValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"RecorderRecord": {
"Values": [
{
"Key": "Validation",
"Value": {
"Values": [
{
"Key": "SubmittedBy",
"Value": null
},
{
"Key": "ProtocolProviderType",
"Value": "SelfAssertedAttributeProvider"
},
{
"Key": "TechnicalProfileEnabled",
"Value": {
"EnabledRule": "Always",
"EnabledResult": true,
"TechnicalProfile": "REST-UserMigration-LocalAccount-SignIn"
}
},
{
"Key": "ValidationTechnicalProfile",
"Value": {
"Values": [
{
"Key": "TechnicalProfileId",
"Value": "REST-UserMigration-LocalAccount-SignIn"
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "signInName",
"PolicyClaimType": "signInName"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "password",
"PolicyClaimType": "password"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "useInputPassword",
"PolicyClaimType": "useInputPassword"
}
}
]
}
},
{
"Key": "Precondition",
"Value": {
"$id": "1",
"Type": 1,
"ExecuteActionsIf": true,
"ActionTypes": [
1
],
"Values": [
"needToMigrate",
"local"
]
}
},
{
"Key": "TechnicalProfileEnabled",
"Value": {
"EnabledRule": "Always",
"EnabledResult": true,
"TechnicalProfile": "login-NonInteractive"
}
},
{
"Key": "ValidationTechnicalProfile",
"Value": {
"Values": [
{
"Key": "TechnicalProfileId",
"Value": "login-NonInteractive"
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "client_id",
"PolicyClaimType": "client_id"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "resource",
"PolicyClaimType": "resource_id"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "username",
"PolicyClaimType": "signInName"
}
},
{
"Key": "MappingPartnerTypeForClaim",
"Value": {
"PartnerClaimType": "password",
"PolicyClaimType": "password"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "grant_type",
"PolicyClaimType": "grant_type"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "scope",
"PolicyClaimType": "scope"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "nca",
"PolicyClaimType": "nca"
}
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "The username or password provided in the request are invalid.",
"Data": {
"IsPolicySpecificError": false
}
}
}
]
}
}
]
}
}
]
},
"Statebag": {
"SE": {
"c": "2022-06-03T07:43:42.3832546Z",
"k": "SE",
"v": "Self-asserted_local",
"p": true
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX, S_CTP, M_EXCP"
},
"Exception": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "The username or password provided in the request are invalid.",
"Data": {
"IsPolicySpecificError": false
}
},
"PredicateResult": "False"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.SendRetryHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
}
]
2
Answers
OK, I decided to redo my app registration setup, and strictly follow this guide: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-identity-experience-framework-applications
Previously, I had not used the names
IdentityExperienceFramework
andProxyIdentityExperienceFramework
for the apps, as I thought I could name them according to my use-case, so I had named themMobileAppApi
(IdentityExperienceFramework) andMobileApp
(ProxyIdentityExperienceFramework). So now, in addition to theMobileAppApi
andMobileApp
app registrations, I also added theIdentityExperienceFramework
andProxyIdentityExperienceFramework
by following the guide. I updated myTrustFrameworkExtensions.xml
to use the app id's for these new apps, and re-tried signing in. I was a bit confused as to why I could not select either of the newIdentityExperienceFramework
orProxyIdentityExperienceFramework
apps when running the custom SignUpSignIn policy, so then I just picked theMobileApp
application I has from before.... NOW signing in worked 🤯So, it seems like those
IdentityExperienceFramework
andProxyIdentityExperienceFramework
are some "magic" app registrations you just have to always add.This problem is usually caused by configuring incorrect clientID etc. in the extension file, either for the standard configuration or extension attributes.
Using this utility will avoid that.