B2C password reset custom policy with REST API call issue

Question

B2C password reset custom policy with REST API call issue

Vikas Tiwari 771

I am using password reset custom policy which calls REST API to execute some additional password complexity, when I try to change password it gets stuck with message "Please wait while we process your information." (img attached).

Following are my policy details (I took reference from here):

   <ClaimType Id="oldPassword">  
   <DisplayName>Old Password</DisplayName>  
   <DataType>string</DataType>  
   <UserHelpText>Enter your old password</UserHelpText>  
   <UserInputType>Password</UserInputType>  
      </ClaimType>  
   <ClaimType Id="newPassword">  
   <PredicateValidationReference Id="CustomPassword" />  
   </ClaimType>  
   <ClaimType Id="reenterPassword">  
   <PredicateValidationReference Id="CustomPassword" />  
   </ClaimType>  
   <ClaimType Id="isPasswordHistoryValid">  
        <DisplayName>isPasswordHistoryValid</DisplayName>  
        <DataType>boolean</DataType>  
        <AdminHelpText>isPasswordHistoryValid</AdminHelpText>  
        <UserHelpText>isPasswordHistoryValid</UserHelpText>  
      </ClaimType>  
   <ClaimType Id="userMessage">  
        <DataType>string</DataType>  
        <UserHelpText>Add help text here</UserHelpText>  
        <UserInputType>Paragraph</UserInputType>  
      </ClaimType>  
  
 <ClaimsProvider>  
 <DisplayName>Local Account SignIn</DisplayName>  
 <TechnicalProfiles>  
        <TechnicalProfile Id="login-NonInteractive-PasswordChange">  
          <DisplayName>Local Account SignIn</DisplayName>  
          <InputClaims>  
            <InputClaim ClaimTypeReferenceId="oldPassword" PartnerClaimType="password" Required="true" />  
          </InputClaims>  
          <IncludeTechnicalProfile ReferenceId="login-NonInteractive" />  
        </TechnicalProfile>  
      </TechnicalProfiles>  
    </ClaimsProvider>  
 <ClaimsProvider>  
    <DisplayName>Local Account Password Change</DisplayName>  
    <TechnicalProfiles>  
      <TechnicalProfile Id="LocalAccountWritePasswordChangeUsingObjectId">  
        <DisplayName>Change password (username)</DisplayName>  
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
        <Metadata>  
          <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>  
        </Metadata>  
        <InputClaims>  
          <InputClaim ClaimTypeReferenceId="objectId" />  
        </InputClaims>  
        <OutputClaims>  
          <OutputClaim ClaimTypeReferenceId="oldPassword" Required="true" />  
          <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />  
          <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />  
        </OutputClaims>  
        <ValidationTechnicalProfiles>  
          <ValidationTechnicalProfile ReferenceId="login-NonInteractive-PasswordChange" />  
   <ValidationTechnicalProfile ReferenceId="REST-PasswordHistory" ContinueOnError="false">  
 <Preconditions>  
                <Precondition Type="ClaimsExist" ExecuteActionsIf="true">  
                  <Value>isPasswordHistoryValid</Value>  
                  <Value>False</Value>  
                  <Action>SkipThisValidationTechnicalProfile</Action>  
                </Precondition>  
             </Preconditions>  
          </ValidationTechnicalProfile>  
          <ValidationTechnicalProfile ReferenceId="AAD-UserWritePasswordUsingObjectId" ContinueOnError="false" />  
        </ValidationTechnicalProfiles>  
      </TechnicalProfile>  
    </TechnicalProfiles>  
  </ClaimsProvider>  
 <ClaimsProvider>  
      <DisplayName>Custom REST API</DisplayName>  
      <TechnicalProfiles>  
    <TechnicalProfile Id="REST-PasswordHistory">  
          <DisplayName>Validate password history via custom API</DisplayName>  
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
          <Metadata>  
            <Item Key="ServiceUrl">https://apiendpoint</Item>  
            <Item Key="SendClaimsIn">Body</Item>  
            <Item Key="AllowInsecureAuthInProduction">false</Item>  
          </Metadata>  
          <InputClaims>  
            <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="userId" />  
            <InputClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="Password" />  
 <InputClaim ClaimTypeReferenceId="oldPassword" PartnerClaimType="oldPassword" />  
          </InputClaims>  
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />  
        </TechnicalProfile>  
   </TechnicalProfiles>  
    </ClaimsProvider>  
 <ClaimsProvider>  
      <DisplayName>Self-Asserted</DisplayName>  
      <TechnicalProfiles>  
        <TechnicalProfile Id="SelfAsserted-PasswordResetError">  
          <DisplayName>Password reset error message</DisplayName>  
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
          <Metadata>  
            <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>  
          </Metadata>  
          <InputClaimsTransformations>  
            <InputClaimsTransformation ReferenceId="PasswordResetErrorMessage" />  
          </InputClaimsTransformations>  
          <InputClaims>  
            <InputClaim ClaimTypeReferenceId="isPasswordHistoryValid" />  
            <InputClaim ClaimTypeReferenceId="userMessage" />  
          </InputClaims>  
          <OutputClaims>  
            <OutputClaim ClaimTypeReferenceId="isPasswordHistoryValid" />  
            <OutputClaim ClaimTypeReferenceId="userMessage" />  
          </OutputClaims>  
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />  
        </TechnicalProfile>  
      </TechnicalProfiles>  
    </ClaimsProvider>  
  
 <UserJourneys>  
 <UserJourney Id="PasswordChange">  
    <OrchestrationSteps>  
       <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.signuporsignin">  
          <ClaimsProviderSelections>  
            <ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninEmailExchange" />  
          </ClaimsProviderSelections>  
        </OrchestrationStep>  
        <OrchestrationStep Order="2" Type="ClaimsExchange">  
          <ClaimsExchanges>  
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />  
          </ClaimsExchanges>  
        </OrchestrationStep>  
        <OrchestrationStep Order="3" Type="ClaimsExchange">  
          <ClaimsExchanges>  
            <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordChangeUsingObjectId" />  
          </ClaimsExchanges>  
        </OrchestrationStep>  
 <OrchestrationStep Order="4" Type="ClaimsExchange">  
          <ClaimsExchanges>  
            <ClaimsExchange Id="SelfAsserted-PasswordResetError" TechnicalProfileReferenceId="SelfAsserted-PasswordResetError" />  
          </ClaimsExchanges>  
        </OrchestrationStep>  
        <OrchestrationStep Order="5" Type="ClaimsExchange">  
          <ClaimsExchanges>  
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />  
          </ClaimsExchanges>  
        </OrchestrationStep>  
        <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />  
    </OrchestrationSteps>  
    <ClientDefinition ReferenceId="DefaultWeb" />  
   </UserJourney>  
  </UserJourneys>

Also, if I try to comment REST api call then change password button redirects to 500 error.

Could you review and help me to find the root cause here?

Thanks,
Vikas Tiwari

AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-02-04T11:30:38.14+00:00

@Vikas Tiwari · I need to test it out and it might take some time. I will try and share my findings.

1 answer

Your answer

AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-02-04T11:30:38.14+00:00

@Vikas Tiwari · I need to test it out and it might take some time. I will try and share my findings.

Answer 1

Hi @AmanpreetSingh-MSFT , I have found the issue your github repo is all correct I missed AuthenticationType while calling API, now its able to send request to API.

Though for invalid password scenario (when my API return invalid new password response) It doesn't show error message on screen, below are my technical profile and user journey:

<ClaimsProvider>  
    <DisplayName>Local Account Password Change</DisplayName>  
    <TechnicalProfiles>  
      <TechnicalProfile Id="LocalAccountWritePasswordChangeUsingObjectId">  
        <DisplayName>Change password (username)</DisplayName>  
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
        <Metadata>  
          <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>  
        </Metadata>  
        <InputClaims>  
          <InputClaim ClaimTypeReferenceId="objectId" />  
        </InputClaims>  
        <OutputClaims>  
          <OutputClaim ClaimTypeReferenceId="oldPassword" Required="true" />  
          <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />  
          <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />  
        </OutputClaims>  
        <ValidationTechnicalProfiles>  
		<ValidationTechnicalProfile ReferenceId="login-NonInteractive-PasswordChange" />  
		  <ValidationTechnicalProfile ReferenceId="REST-PasswordHistory" ContinueOnError="false" />  
          <ValidationTechnicalProfile ReferenceId="AAD-UserWritePasswordUsingObjectId" ContinueOnError="false">  
			<Preconditions>  
                <Precondition Type="ClaimEquals" ExecuteActionsIf="true">  
                  <Value>isPasswordHistoryValid</Value>  
                  <Value>False</Value>  
                  <Action>SkipThisValidationTechnicalProfile</Action>  
                </Precondition>  
             </Preconditions>  
          </ValidationTechnicalProfile>  
        </ValidationTechnicalProfiles>  
      </TechnicalProfile>  
    </TechnicalProfiles>  
  </ClaimsProvider>  
<ClaimsProvider>  
      <DisplayName>Custom REST API</DisplayName>  
      <TechnicalProfiles>  
	   <TechnicalProfile Id="REST-PasswordHistory">  
          <DisplayName>Validate password history via custom API</DisplayName>  
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
          <Metadata>  
            <Item Key="ServiceUrl">Https://apiendpoint.com</Item>  
            <Item Key="SendClaimsIn">Body</Item>  
	    <Item Key="AuthenticationType">None</Item>  
            <Item Key="AllowInsecureAuthInProduction">true</Item>  
          </Metadata>  
          <InputClaims>  
            <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="userId" />  
            <InputClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="Password" />  
	    <InputClaim ClaimTypeReferenceId="oldPassword" PartnerClaimType="oldPassword" />  
          </InputClaims>    
          <OutputClaims>  
            <OutputClaim ClaimTypeReferenceId="isPasswordHistoryValid" DefaultValue="false" />  
          </OutputClaims>  
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />  
        </TechnicalProfile>  
	  </TechnicalProfiles>  
    </ClaimsProvider>  
   <UserJourney Id="PasswordChange">  
    <OrchestrationSteps>  
       <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.signuporsignin">  
          <ClaimsProviderSelections>  
            <ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninEmailExchange" />  
          </ClaimsProviderSelections>  
        </OrchestrationStep>  
        <OrchestrationStep Order="2" Type="ClaimsExchange">  
          <ClaimsExchanges>  
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />  
          </ClaimsExchanges>  
        </OrchestrationStep>  
        <OrchestrationStep Order="3" Type="ClaimsExchange">  
          <ClaimsExchanges>  
            <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordChangeUsingObjectId" />  
          </ClaimsExchanges>  
        </OrchestrationStep>  
		<OrchestrationStep Order="4" Type="ClaimsExchange">  
          <Preconditions>  
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">  
              <Value>isPasswordHistoryValid</Value>  
              <Value>True</Value>  
              <Action>SkipThisOrchestrationStep</Action>  
            </Precondition>  
          </Preconditions>  
          <ClaimsExchanges>  
            <ClaimsExchange Id="SelfAsserted-PasswordResetError" TechnicalProfileReferenceId="SelfAsserted-PasswordResetError" />  
          </ClaimsExchanges>  
        </OrchestrationStep>  
        <OrchestrationStep Order="5" Type="ClaimsExchange">  
          <ClaimsExchanges>  
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />  
          </ClaimsExchanges>  
        </OrchestrationStep>  
        <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />  
    </OrchestrationSteps>  
    <ClientDefinition ReferenceId="DefaultWeb" />  
   </UserJourney>

Vikas Tiwari 771 Reputation points

2021-02-08T03:32:45.987+00:00

Hi @AmanpreetSingh-MSFT , I have fixed the issue summarizing here so that it may help someone.

1) Github repo link that you have provided (here) is working fine and able to make API calls.

2) I was not getting API errors and later I found documentation (here) which has clearly mentioned format and required fields to display API errors into b2c.

These 2 points fixed the issue and working as expected now.

Thanks for your help.

Vikas Tiwari
Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator

2021-02-08T09:20:27.89+00:00

@Vikas Tiwari ,

Thank you vikas for sharing your findings and answering the question for the benefit of the community . We appreciate your participation and would request you to accept the post as answer which would improve the relevancy of query and will make this more searchable for anyone in community with similar questions.

Share via

B2C password reset custom policy with REST API call issue

1 answer

Your answer