Share via

Azure B2C custom policy. How to check email domain with REST API on "Send verification code" button

Andrey Kuznetsov 65 Reputation points
2023-04-27T23:17:52.4833333+00:00 
Hi,
I am using starter custom policy XML files for social and MFA
I have created the REST API and called <ValidationTechnicalProfile ReferenceId="REST-ValidateProfile" /> from <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail"> to verify the email domain (server logic is needed). This works fine but the signup page calls my API when the "Create" button is clicked. But I need to call it when the "Send verification code" button is clicked. Is it possible to do?

Here is my code.

			<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
				<DisplayName>Email signup</DisplayName>
				<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
				<Metadata>
					<Item Key="IpAddressClaimReferenceId">IpAddress</Item>
					<Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
				</Metadata>
				<CryptographicKeys>
					<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
				</CryptographicKeys>
				<InputClaims>
					<InputClaim ClaimTypeReferenceId="email" />
				</InputClaims>
				<OutputClaims>
					<OutputClaim ClaimTypeReferenceId="objectId" />
					<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
					<OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
					<OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
					<OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
					<OutputClaim ClaimTypeReferenceId="authenticationSource" />
					<OutputClaim ClaimTypeReferenceId="newUser" />
					<!-- Optional claims, to be collected from the user -->
					<OutputClaim ClaimTypeReferenceId="displayName" />
					<OutputClaim ClaimTypeReferenceId="givenName" />
					<OutputClaim ClaimTypeReferenceId="surName" />
				</OutputClaims>
				<ValidationTechnicalProfiles>
					<ValidationTechnicalProfile ReferenceId="REST-ValidateProfile" />
					<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
				</ValidationTechnicalProfiles>
				<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
			</TechnicalProfile>



	<ClaimsProvider>
		<DisplayName>REST APIs</DisplayName>
		<TechnicalProfiles>
			<TechnicalProfile Id="REST-ValidateProfile">
				<DisplayName>Check loyaltyId Azure Function web hook</DisplayName>
				<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
				<Metadata>
					<Item Key="ServiceUrl">https://myapiservice.com/api/EmailDomainVerification</Item>
					<Item Key="SendClaimsIn">QueryString</Item>
					<Item Key="AuthenticationType">None</Item>
					<Item Key="AllowInsecureAuthInProduction">true</Item>
					<Item Key="DebugMode">true</Item>
				</Metadata>
				<InputClaims>
					<InputClaim ClaimTypeReferenceId="email" />
					<InputClaim ClaimTypeReferenceId="extension_siteid" />
				</InputClaims>
				<OutputClaims>
					<OutputClaim ClaimTypeReferenceId="isAllowedEmail" />
					<OutputClaim ClaimTypeReferenceId="errorMessage" />
				</OutputClaims>
				<OutputClaimsTransformations>
					<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
					<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
				</OutputClaimsTransformations>
				<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
			</TechnicalProfile>
		</TechnicalProfiles>
	</ClaimsProvider>
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,004 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 22,776 Reputation points Microsoft Employee
    2023-04-28T19:17:24.4866667+00:00

    Hi @Andrey Kuznetsov , to call your REST API when the "Send verification code" button is clicked, you can modify the technical profile responsible for sending the verification code. In your case, you should modify the sendOtp technical profile in the RestfulProvider claims provider.

    Here's an example of how to modify the sendOtp technical profile to call your REST API for email domain verification:

    <TechnicalProfile Id="sendOtp">
  <DisplayName>Use email API to send the code to the user and verify email domain</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ServiceUrl">https://myapiservice.com/api/EmailDomainVerification</Item>
    <Item Key="AuthenticationType">Basic</Item>
    <Item Key="SendClaimsIn">Body</Item>
    <Item Key="ClaimUsedForRequestPayload">emailRequestBody</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_MailjetApiKey" />
    <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_MailjetSecretKey" />
  </CryptographicKeys>
  <InputClaimsTransformations>
    <InputClaimsTransformation ReferenceId="GenerateEmailRequestBody" />
  </InputClaimsTransformations>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="emailRequestBody" />
  </InputClaims>
</TechnicalProfile>

    This modification will call your REST API for email domain verification when the "Send verification code" button is clicked. Make sure to update the ServiceUrl, AuthenticationType, and other metadata items as needed to match your API configuration.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark it as "Verified" so other users can reference it.

    Thank you,

    James

    0 comments
  2. Andrey Kuznetsov 65 Reputation points
    2023-04-29T22:16:45.07+00:00

    Hi James,

    Thanks for your answer. But it is not what I am looking for. Your solution is dividing the SignUpSignIn page into two pages with one-by-one access. Email input page and then password input. Currently, they are on a single page only (on my attached image). Okay, it would work here but we have several places with the same "email input" controls, like changing profile, changing email, and so on. And now I have to implement the same "divided" page in all places.

    In my SignUpSignIn form, the user name is email.

    Thanks!

    Image 575x813

    0 comments
  3. Andrey Kuznetsov 65 Reputation points
    2023-04-30T18:00:58.2766667+00:00

    Hi James,

    What could help is the ability to insert a variable/custom attribute into the RegularExpression in a custom policy xml file, for example, into TrustFrameworkBase.xml. Like this: Pattern RegularExpression="xxxxxx***{emailDomain}xxxxxx***". But I have not found a proper syntax. Is it possible to do?