Azure AD and B2C Custom Policy- when user tries to login using a book marked link ( signed out or Signed in) the OnTicketReceived does not get called to update the authorization end point

ddpp 1 Reputation point
2022-09-20T17:44:32.197+00:00

Hi,

Here is what the structure looks like:

Local Account
Azure AD
B2C Custom Policy
SPA react app
Backend Azure functions
Event OnTicketReceived - The Handler to handler event OnTicketReceived generates the code verifier, code challenges, and state parameters and creates an authorized endpoint URL in startup.cs file

when the user trying to log in using the book marked sign-out or sign-in link which looks like this
https://orgdomainb2c.b2clogin.com/orgdomainb2c.onmicrosoft.com/b2c_1a_signin_email/oauth2/v2.0/authorize?.....), the handler to event OnTicketReceived does not get called to generate authorize endpoint and user ends up on the application front page without signing in and throws an error with some correlation id.

How can I force the bookmarked URL to redirect to the https://MyCompany.com/home to start a fresh flow of authentication and authorization?

Thanks,
DP

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-09-22T00:02:31.553+00:00

    Hi @ddpp ,

    Thanks for your post! This is a known issue with OpenID Connect, as this is a scenario that the middleware does not handle. When users bookmark the login you need to handle this in your client, typically by re-issuing the authorize request).

    One solution (as shared on Github) is to add the following on the authenticating client application where the OpenID Connect middleware is configured:

    options.Events.OnRemoteFailure = RemoteAuthFail;  
      
    private Task RemoteAuthFail(RemoteFailureContext context) { context.Response.Redirect("/Home/AuthError"); context.HandleResponse(); return Task.CompletedTask; }  
    

    Another solution is to catch the exception and check if the request path is /sign-in-oidc (Redirect URI). If it is then redirect to any page that requires authentication, such as the home page. If it is not then you would handle the exception normally.

    There are also some alternative solutions and additional details offered in this thread.

    Additional resources:

    Correlation failed due to bookmarked login page
    How to redirect during OnTicketReceived
    Redirect in OIDC middleware

    -

    If the information helped you, please Accept the answer. This will help us and other community members as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.