I am not able to find proper documentation on how to get started with the scenarios below:
Forgot password. I have setup the reset password policy in Azure AD B2C and the user can click Forgot Password which redirects the user to a controller action in my app. But I'm not really sure what to do from here.
Reset password from user profile in my app. In my app, I would like the user to be able to click "Reset Password" which would redirect the user to having their password reset.
For both of the scenarios above, I would like Azure AD B2C to handle the password reset by asking the user for their email and then emailing them the password reset link and then handling the password reset appropriately. How can I do this?
There are two use cases for password reset:
If you click on the link in the signup / signin page, you get the error code AADB2C90118 which is returned to your application. Your application then needs to run a specific user flow that resets the password. Refer a simple ASP.NET sample that demonstrates the linking of the user flows.
If the user has already signed in, you can simply provide a link. This link invokes the password reset policy that is configured on the B2C side.
Related
Setup Overview
I am using B2C custom policies for sign-in flow in react application using msal-react and msal-browser packages. The user is able to log in properly for the first time after entering credentials. Now when the user clicks logout, B2C logout popup shows up and it goes away instantly without asking the user to choose an account which is expected because the user is signed in with only a single account. The user is redirected properly.
Doc followed - [https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md
Issue
After successful logout, which seems to be happening properly as the UnAuthenticated template executes after login. When the user presses login again, it does not ask for any credentials, and user is signed in again which is a security issue. I am not sure what am I missing now. I have gone through all the MS docs multiple times and GitHub issues but did not find a solution
Flow:
Before First login - Session Storage and Cookies are empty,
After login - Session Storage has values and Cookies have 2 entries - x-ms-cpim-sso and x-ms-cpim-csrf
After logout - Both are cleared with no values
Click login again, values from step 2 come back in. But if you don't click login and try different app routes, it shows Unauthenticated template which has login button. So seems like user was correctly logged out
A few questions and helpful information
Is azure ad B2C considered as social sign in (federated entity) or is it considered a local account like Azure AD
I have read here that it does not assume logout from social IDP but I am not using anything other than B2C. In this GitHub, it also mentioned it is expected behaviour but how do I logout properly so that user is asked for credentials again. [https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2547
After pressing logout, if user is signed out from B2C as the app executes Unauthenticated template instead of Authenticated, how is it able to sign in again without any credentials.
Please guide me to solve this issue
I have an expo (react-native) app and use the expo-local-authentication library to authenticate users to the app.
My current flow looks like this:
At first login, when the user logs into the app or signs up, I store the username and password in expo-secure-store.
Once the user session expires, and the user clicks the button that says "Login with Biometrics", I look into the secure store and see if there is a previously stored credential (username and password), then I authenticate the user with those credentials, and get the authentication token. The authentication token is then used to call other endpoints.
One user reported the following issue with this:
User A logs into the app for the first time. Their username and password (usernameOfA, passwordOfA) gets stored in the secure store.
The next time User A logs into the app with biometrics, we use their stored credential to log in, which works as expected.
Let's say, User B logs into the app from the same device as User A. Now, the username and password (usernameOfB, passwordOfB) gets stored in the secure store and replaces the credential of User A.
User B does their thing and logs out of the app. But here our secure store still has the credential of User B.
When User A comes back and logs in to the app with their biometrics, because credential of User B is still stored in our secure store, the account of User B gets logged in, instead of User A.
PS.
We could remove the username and password of user from the secure store when the user logs out of the app, but we want users to be able to login again with biometrics even after they logout of the app.
Also, we logout user everytime they close the app, so if we remove the credential on every logout we wouldn't be able to login user with biometrics the next time.
I seem to have not understood the flow of implementing biometrics. What other information should I include to distinguish the correct user is logging in to the app? Or is there a different way to authenticate users with biometrics? I am looking to understand more about the flow and would appreciate any recommendations or resources. Thank you.
I'm using okta to sign-in to my react based web application. There is an edit action within the app that requires the user to re-enter his password. I've checked the docs and couldn't find anything similar. The closest I got to was the 're-authenticate' user part. However, that's only based on time. I want to achieve similar functionality based on an event(say, button click). Can I do this using refresh tokens? (I'm not clear about the whole idea of refresh token). Is there a workaround or a specific okta API that allows me to do this?
I have contacted Okta support and they advised me to use the Okta MFA factors(OTP to email/phone, Google Auth etc.) and not to prompt the user to enter a password.
MFA Factors API: https://developer.okta.com/docs/reference/api/factors/
I have a React Native app that uses Okta's hosted login page to authenticate.
When a user successfully authenticates for the first time through the PKCE flow, on every other login afterwards, they get automatically logged in as the same user.
I've used additionalParameters: { prompt: 'login' }, but it only asks for you to re enter your password and if you click signout, it brings you to a Citrix page that doesn't change anything about the flow - they still get logged back in as the same user after the fact.
I've tried using both the revoke and logout endpoints which actually changes the cookies a bit, but doesn't affect the flow same goes with restarting the app.
The only way is to clear hardware settings in xcode.
This may not even be an Okta specific issue, perhaps a general OIDC issue.
How does the hosted login page store and know you've previously logged in and how can that be fixed?
Is it possible to achieve Azure Active Directory authentication without going to browser window? I will have username and password via the mobile app login interface.
I need to achieve below scenario:
Use open mobile application (ios/android)
Enter Azure AD username and password to app login screen - e.g. user#tenant.onmicrosoft.com & password
I pass those information to .net web service - which need to call some Azure AD api to validate user credential before proceed to perform other business logic/make database calls
Any recommendation? I DON'T want user to redirect to any login window/page as this will not be good user experience.
I have already checked few different articles but not satisfactory response yet.
Thank you for your time.
I believe below link is helpful.
http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/