Azure AD B2C Sign in user flow doesn't call API connector

Question

Azure AD B2C Sign in user flow doesn't call API connector

Jakub Pernica 220

I have a user flow in my Azure AD B2C for sign in. I also specified an API connector which is called before including claims:

User's image

Everything works correctly when I sign in, it calls my API connector, include the custom claims. However, one problem appears when I don't sign in normally, but instead I click "Forgot password" option on the Sign In page, verify my email address, create new password and then it signs me in. But before signing, this time it doesn't call my API connector, so it doesn't include the custom claims I need. Is this behavior caused by some misconfiguration or bug of this "preview" feature?

Thanks

Accepted answer

0 additional answers

Your answer

Answer 1

Shweta Mathur 30,296 Microsoft Employee Moderator

Hi @Jakub Pernica ,

When a user resets their password, Azure AD B2C uses a different user flow than the one used for sign-in. Therefore, if you have configured an API connector to be called before including claims in your sign-in user flow, it will not be called during the password reset user flow. This is because the password reset process is a separate flow from the sign-in flow.

To include custom claims during the password reset process, you can use a custom policy instead of a user flow. With a custom policy, you can define the user journey and include API connectors at any step in the journey, including during password reset.

Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-api-connector?pivots=b2c-user-flow

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Jakub Pernica 220 Reputation points

2023-12-22T08:11:32.1066667+00:00

Thanks for your answer! Actually, are you sure that when I click Forgot Password during my Sign In user flow that it is a separate flow? From doc:

The new password reset experience is now part of the sign-up or sign-in policy. When the user selects the Forgot your password? link, they are immediately sent to the Forgot Password experience. Your application no longer needs to handle the AADB2C90118 error code, and you don't need a separate policy for password reset.

When I click Forgot password, I can also see the URL in such format:
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/B2C_1_defaul_signin/api/CombinedSigninAndSignup/unified?claimsexchange=ForgotPassword.........

It seems to indicate that the forgot password flow is still inside the sign in flow or I'm interpreting it wrong?
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-12-22T08:18:00.0966667+00:00
Jakub Pernica

There are three places in a user flow where you can enable an API connector:

After federating with an identity provider during sign-up - applies to sign-ups experiences only

Before creating the user - applies to sign-ups experiences only

Before sending the token (preview) - applies to sign-ups and sign-ins

When you click on "Forgot your password?", this takes you on a different flow. Not sign-up or sign-in.
Jakub Pernica 220 Reputation points

2023-12-22T08:27:16.2166667+00:00

Could you please elaborate then what does this mean from the documentation?

The new password reset experience is now part of the sign-up or sign-in policy. ... and you don't need a separate policy for password reset.

Does that refer to something else?
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-12-22T09:27:51.3333333+00:00

Jakub Pernica

Earlier when we click on Forgot password, the error will generate which needs to handle at our end, but now during sign up /sign in flow, forgot password is with the flow (or you can say part of user journey) and do not require to handle separately.

With API connector, the flow is only applicable to Sign up / Sign in. So, you can say here forgot password is part of sign up/sign in journey, but different flow and API connector applies to sign up/sign in only.

Thanks,

Shweta
Jakub Pernica 220 Reputation points

2023-12-22T09:48:20.7933333+00:00

Thank you very much for swift response! One last clarifying question. If I need to use custom policies for the "Reset password" policy to include some API connector calls, do I need to define a "Reset password" custom policy AND "sign in" custom policy, or is it possible to have only "Reset password" custom policy and user flow Sign in that I could reference to the custom reset password policy when user clicks Forgot password?
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-12-26T05:24:42.85+00:00

Jakub Pernica

You can use a single custom policy for both sign-in and password reset flows. You can define a boolean claim in the claims schema to indicate that the user has selected the "Forgot your password?" link. You can then use this claim to direct the user journey to the "Reset Password" technical profile. The claim can also be issued to the token, so the application detects that the user signed in by using the Forgot Password user flow.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy

Share via

Azure AD B2C Sign in user flow doesn't call API connector

0 additional answers

Your answer