Share via

Is there a bug with "Force Password Reset" in a User flow with the SamePassword check?

AdamKozmic-7665 60 Reputation points
2023-04-14T16:45:56.4233333+00:00

I think I found a pretty serious bug when working through https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset and I thought I must have done something wrong; however when I use a standard "User Flow" of type "SignUp and SignIn" I see the same exact behavior. The problem is that the UI claims to verify that your new password is not the same as the old one, and it does indeed prevent you from continuing, but if you exit out and re-run the user flow (try logging in again), using your old password it passes through. It's like the act of entering the correct password (even if its the same as the old one) will mark the password as not expired internally, and only stop you from continuing once.

Steps to Reproduce

  • Create a new User Flow of type "Sign Up and Sign In" with Recommended Settings, enabling "Email signup" for local accounts.
  • Go to Properties -> Password Configuration and check the box that says "Forced Password Reset" and click Save.
  • Go to Users, find a user you can test with, click on them, and then click "Reset Password". Confirm and copy the temp password for future reference.
  • Run the User Flow and log in with your new temp password. Notice that AzureADB2C will kick you to a screen that says "Your password has expired, please change to a new password."
  • Enter your temp password into all 3 fields ("Current Password", "New Password" and "Confirm New Password"), then click "Continue"
  • Notice that you get Red Error message on the screen saying "Please enter a different password."
  • Now close the tab/browser and go run the same User Flow again. My expectation would be that logging in with the same password should not work because you never actually reset it.
  • Login as the user with the same password. Notice it passes through to OIDC token exchange.
    • This is incorrect behavior, and I would argue pretty serious. The old password should still be expired. You never reset it. In this way, end users can easily bypass needing to reset their passwords.
Microsoft Security | Microsoft Entra | Microsoft Entra External ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-04-19T15:55:05.0833333+00:00

    Hi @AdamKozmic-7665 , Thanks for reaching out and sharing your feedback with us.

    I have tried to repro the steps as mentioned above and getting the same results as defined by you.

    However, this is as expected behavior of password reset.

    Whenever admin reset the password of the user, the user will be required to change the password during the next sign-in process.

    As user is provided same new password which is not possible and getting error "Please enter a different password." for the same.

    As the password has not been reset, it is allowing to use the same temporary password the next time user signs in and again forcing the user to reset the password.

    User's image

    Hope this answers your query. If you have any other questions, please let us know.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments
  2. AdamKozmic-7665 60 Reputation points
    2023-04-20T16:53:37.22+00:00

    @Shweta Mathur ahhh that makes sense for the temp password. I will try it with just an expired password this afternoon to see if I see the same behavior. That would be a bigger issue as the password has truly expired, its no longer available. Thanks -Adam

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.