CODEWITHSUNDEEP
azure-ad-b2cazure-ad-b2c-custom-policy
atr4st
atr4st

Reputation: 25

Azure B2C Custom Policy - Custom technical profile doesn't work in SignUp

I'm trying to use custom technical profile for Local Account in SignUpOrSignIn user journey. I have Created the following technical profile in my customtrustframeworkextensions.xml (base:trustframeworkextensions.xml):

<ClaimsProvider>
          <DisplayName>Local Account</DisplayName>
          <TechnicalProfiles>
            <TechnicalProfile Id="CustomLocalAccountSignUpWithLogonEmail">
              <DisplayName>Email signup</DisplayName>
              <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
              <Metadata>
                <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
                <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
              </Metadata>
              <CryptographicKeys>
                <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
              </CryptographicKeys>
              <InputClaims>
                <InputClaim ClaimTypeReferenceId="email" />
              </InputClaims>
              <OutputClaims>
                <OutputClaim ClaimTypeReferenceId="objectId" />
                <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
                <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
                <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
                <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
                <OutputClaim ClaimTypeReferenceId="authenticationSource" />
                <OutputClaim ClaimTypeReferenceId="newUser" />
                <OutputClaim ClaimTypeReferenceId="extension_XXX" />
                <!-- Optional claims, to be collected from the user -->
                <OutputClaim ClaimTypeReferenceId="displayName" />
                <OutputClaim ClaimTypeReferenceId="givenName" />
                <OutputClaim ClaimTypeReferenceId="surName" />
              </OutputClaims>
              <ValidationTechnicalProfiles>
                <ValidationTechnicalProfile ReferenceId="REST-ValidateProfile" />
              </ValidationTechnicalProfiles>
              <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
            </TechnicalProfile>
          </TechnicalProfiles>
        </ClaimsProvider>
        <ClaimsProvider>

REST-ValidateProfile looks like the following:

        <ClaimsProvider>
        <DisplayName>REST APIs</DisplayName>
        <TechnicalProfiles>
            <TechnicalProfile Id="REST-ValidateProfile">
                <DisplayName>Check yyy and zzz Rest API</DisplayName>
                <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
                <Metadata>
                    <!-- Set the ServiceUrl with your own REST API endpoint -->
                    <Item Key="ServiceUrl">https://asd</Item>
                    <Item Key="SendClaimsIn">Body</Item>
                    <!-- Set AuthenticationType to Basic or ClientCertificate in production environments -->
                    <Item Key="AuthenticationType">ApiKeyHeader</Item>
                    <!-- REMOVE the following line in production environments -->
                    <Item Key="AllowInsecureAuthInProduction">false</Item>
                </Metadata>
                <CryptographicKeys>
                    <Key Id="Api-key" StorageReferenceId="B2C_1A_key" />
                </CryptographicKeys>
                <InputClaims>
                    <!-- Claims sent to your REST API -->
                    <InputClaim ClaimTypeReferenceId="email" />
                    <InputClaim ClaimTypeReferenceId="extension_xxx" PartnerClaimType="xxx" />                                                                                                        
                </InputClaims>
                <OutputClaims>
                    <!-- Claims parsed from your REST API -->
                    <OutputClaim ClaimTypeReferenceId="extension_yyy" PartnerClaimType="yyy" />
                    <OutputClaim ClaimTypeReferenceId="extension_zzz" PartnerClaimType="zzz" />
                </OutputClaims>
                <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
            </TechnicalProfile>
    </ClaimsProvider>

I have modified the OrchestrationStep to use custom technical profile in user journey:

        <OrchestrationStep Order="2" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>objectId</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="CustomLocalAccountSignUpWithLogonEmail" />
      </ClaimsExchanges>
    </OrchestrationStep>

When I run my Custom policy and select SignUp the browser shows error: "The page cannot be displayed because an internal server error has occurred."

There are some more specific details in Application insights:

Exception Message:Output claim type "objectId" specified in the technical profile with id "CustomLocalAccountSignUpWithLogonEmail" in policy "B2C_1A_DEV_signup_signin" of tenant does not specify a UserInputType or a DefaultValue, and is not retrieved from a ValidationTechnicalProfile either., Exception Type:InvalidDefinitionException

Everything works OK when I use name "LocalAccountSignUpWithLogonEmail" for edited technical profile and the ClaimsExChange Looks like this:

<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="CustomLocalAccountSignUpWithLogonEmail" />

But when I change name of the modified technical profile, policy doesn't work anymore. It seems to me that claims exchange doesn't work or something. I don't get why because I can't find any other places that refers to LocalAccountSignUpWithLogonEmail.

I want to use custom technical profile because want want to remove some outputclaims whitout touching the base policies.

Upvotes: 0

Views: 610

Answers (1)

Chad Hasbrook
Chad Hasbrook

Reputation: 221

The technicalProfile "CustomLocalAccountSignUpWithLogonEmail" has an output claim of the objectID which is common when you write something. The most common patterns is:

Technical profile

-> Validation Technical 1 profile

-> Validation Technical 2 profile

Being, validation technical profile 1 maybe calls your REST to validate the profile, then you call validation technical profile 2 to perform a write operation into the directory. When you write into the directory, it outputs an objectID which will output it into your technical profile and that error will go away.

Upvotes: 0

Related Questions