Error Trying to Default Claims in Custom Policy during ROPC Flow.

Question

Error Trying to Default Claims in Custom Policy during ROPC Flow.

AdamKozmic-7665 60

I was able to get basic Resource Owner Password Credentials flow in my custom policy following along with https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-custom-policy. We're using ROPC for our QA automation.

Right now the UserJourney is the 3 steps

OpenIdConnect using {OIDC:defaults}
Read User using UserId
Send Claims

I was hoping to get a Just-in-time migration flow working with it (I have it working with Local Account sign-ins using a different policy). My understanding is I need to update the user journey orchestration steps to do this. So I plan to update accordingly.

Here's the new proposed flow

Read signInName and password from {OIDC:defaults}
Read User using signInName
If User doesn't exist by signInName, make a RESTFUL just-in-time migration call.
OpenIdConnect
Read User using UserId
Send Claims

Well, unfortunately I can't get past step 1. All I'm trying to do is to default the signInName and password claims to {OIDC:Username} and {OIDC:Password} respectively.

Here is my code:

and then the technical profile:

When I try to run the ROPC flow (which used to work before adding this orchestration step), I get an error, and application insights shows this:

{
"Kind": "FatalException",
"Content": {
"Time": "4:48 PM",
"Exception": {
"Kind": "Handled",
"HResult": "80004001",
"Message": "The method or operation is not implemented.",
"Data": {}
}

This seems like such a simple thing and I have no idea why its not working.

The only thought I had was that the {OIDC:Username} and {OIDC:Password} claims resolvers weren't implemented in Claims Transformation technical profiles? However, according to https://learn.microsoft.com/en-us/azure/active-directory-b2c/claims-transformation-technical-profile , using `` should take care of it.

Any help would be much appreciated.

Thanks!

-Adam

AdamKozmic-7665 60 Reputation points

2023-06-13T17:33:31.9+00:00
I did see one thing in the documentation at https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-custom-policy:

ROPC doesn’t work when there's any interruption to the authentication flow that needs user interaction. For example, when a password has expired or needs to be changed, multifactor authentication is required, or when more information needs to be collected during sign-in (for example, user consent).

I wouldn't consider this orchestration step to be "user interaction" or MFA or user consent or anything like that; however, I do wonder if ADB2C expects the very first orchestration step to be an OpenIDConnect technical profile call and it just won't let me run anything else?

This person had the exact same problem, but didn't look like they got a resolution : https://stackoverflow.com/questions/74408372/b2c-custom-policy-the-method-or-operation-is-not-implemented

1 answer

Your answer

AdamKozmic-7665 60 Reputation points

2023-06-13T17:33:31.9+00:00

I did see one thing in the documentation at https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-custom-policy:

ROPC doesn’t work when there's any interruption to the authentication flow that needs user interaction. For example, when a password has expired or needs to be changed, multifactor authentication is required, or when more information needs to be collected during sign-in (for example, user consent).

I wouldn't consider this orchestration step to be "user interaction" or MFA or user consent or anything like that; however, I do wonder if ADB2C expects the very first orchestration step to be an OpenIDConnect technical profile call and it just won't let me run anything else?

This person had the exact same problem, but didn't look like they got a resolution : https://stackoverflow.com/questions/74408372/b2c-custom-policy-the-method-or-operation-is-not-implemented

Answer 1

Hi @AdamKozmic-7665 ,

Thanks for reaching out.

Did you try to add technical profile for OIDC claims transformation?

<TechnicalProfile Id="GetOidcClaims">
  <DisplayName>Get OIDC claims</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="id_token" PartnerClaimType="id_token" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="sub" />
    <OutputClaim ClaimTypeReferenceId="password" PartnerClaimType="password" />
  </OutputClaims>
</TechnicalProfile>

and then tried to add that technical profile as first step in your user journey.

In the first step, the claim should come from a self-asserted technical profile or from REST API as the input claim needs to be present in the claims bag.

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

AdamKozmic-7665 60 Reputation points

2023-06-14T23:28:24.8666667+00:00

So the first step of a User Journey must be a self-asserted technical profile OR a REST API?

The first step ofI wanted to do a Just-In-Time migration before doing the login w/ OIDC, so I was hoping to default the Claims "signInName" and "password" from {OIDC:Username} and {OIDC:Password} and then continue on with the Journey. This way I have them and can look up the user to see if they are in need of migration before calling a migration endpoint, and then finally logging in w/ OIDC.

Share via

Error Trying to Default Claims in Custom Policy during ROPC Flow.

1 answer

Your answer