Azure B2C accounts still being created even when API Connector returns "ShowBlockPage" action

Logan Herzog 0 Reputation points
2024-02-08T14:41:33.0366667+00:00

I am using an Azure B2C Custom Policy and attempting to replicate the User Flow "After federating with an identity provider during sign-up" API Connector call. I am using sign-up/sign-in with phone, and after SMS code verification, I collect first and last name and send a request to a Flask API where I store the user information in a database table. The problem is that inside of this API endpoint, when I return "action": "ShowBlockPage", accounts are still created in Azure B2C, so I think I have the API call too late in the journey.

<TechnicalProfiles>
        <TechnicalProfile Id="LocalAccountInputNewPhoneNumber">
          <DisplayName>Phone</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="ContentDefinitionReferenceId">newPhoneNumber</Item>
            <Item Key="UserMessageIfClaimsTransformationInvalidPhoneNumber">Please enter a valid phone number and country code.</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
          </CryptographicKeys>
          <DisplayClaims>
            <DisplayClaim DisplayControlReferenceId="phoneVerificationControl" />
          </DisplayClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
            <OutputClaim ClaimTypeReferenceId="firstName" />
            <OutputClaim ClaimTypeReferenceId="lastName" />
            <OutputClaim ClaimTypeReferenceId="signInNames.phoneNumber" />
          </OutputClaims>
          <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="CombineCountryCodeAndNationalNumber" />
            <ValidationTechnicalProfile ReferenceId="AAD-UserUpdatePhoneNumberUsingObjectId" />
            <ValidationTechnicalProfile ReferenceId="REST-SignUp" />
          </ValidationTechnicalProfiles>
        </TechnicalProfile>
        <TechnicalProfile Id="LocalAccountSignUpWithLogonPhoneNumber">
          <DisplayName>Phone</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="ContentDefinitionReferenceId">phoneSignUp</Item>
            <Item Key="ClaimsProviderSelectionDisplayType">TextLink</Item>
            <Item Key="UserMessageIfClaimsTransformationInvalidPhoneNumber">Please enter a valid phone number and country code.</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
          </CryptographicKeys>
          <InputClaimsTransformations>
            <InputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
            <InputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
          </InputClaimsTransformations>
          <DisplayClaims>
            <DisplayClaim DisplayControlReferenceId="phoneVerificationControl" />
            <DisplayClaim ClaimTypeReferenceId="firstName" />
            <DisplayClaim ClaimTypeReferenceId="lastName" />
          </DisplayClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="objectId" />
            <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
            <OutputClaim ClaimTypeReferenceId="firstName" />
            <OutputClaim ClaimTypeReferenceId="lastName" />
            <OutputClaim ClaimTypeReferenceId="signInNames.phoneNumber" />
          </OutputClaims>
          <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="CombineCountryCodeAndNationalNumber" />
            <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonPhoneNumber" />
            <ValidationTechnicalProfile ReferenceId="REST-SignUp" />
          </ValidationTechnicalProfiles>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
        </TechnicalProfile>

<TechnicalProfile Id="REST-SignUp">
          <DisplayName>Determine if user already exists. If not, associate B2C info to customer info.</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="ServiceUrl">myapiurl/sign-up</Item>             <Item Key="SendClaimsIn">Body</Item>
            <Item Key="AuthenticationType">Basic</Item>
            <Item Key="DefaultUserMessageIfRequestFailed">Failed API request.</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_BasicUsername" />
            <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_BasicPassword" />
          </CryptographicKeys>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="step" DefaultValue="PostAttributeCollection" AlwaysUseDefaultValue="true" />
            <InputClaim ClaimTypeReferenceId="issuer" DefaultValue="devdgb.onmicrosoft.com" AlwaysUseDefaultValue="true" />
            <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="{OIDC:ClientId}" AlwaysUseDefaultValue="true" />
            <InputClaim ClaimTypeReferenceId="policyId" DefaultValue="{Policy:PolicyId}" AlwaysUseDefaultValue="true" />
            <InputClaim ClaimTypeReferenceId="ipAddress" DefaultValue="{Context:IPAddress}" AlwaysUseDefaultValue="true" />
            <InputClaim ClaimTypeReferenceId="objectId" />
            <InputClaim ClaimTypeReferenceId="signInNames.phoneNumber" />
            <InputClaim ClaimTypeReferenceId="firstName" />
            <InputClaim ClaimTypeReferenceId="lastName" />
          </InputClaims>
        </TechnicalProfile>

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,744 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 25,471 Reputation points Microsoft Employee
    2024-02-12T05:50:03.9633333+00:00

    @Logan Herzog

    Hi @Logan Herzog ,

    Thanks for reaching out.

    After federating with an identity provider during sign-up" API Connector call does not block the user to register.

    An API connector at this step in the sign-up process is invoked immediately after the user authenticates with an identity provider (like Google, Facebook, and Microsoft Entra ID). This API connector is used when federated identity that the user provided to look up claims in an existing system and return these claims from the existing system, prefill the attribute collection page, and make them available to return in the token.

    This API connector can be used to implement an allow or blocklist based on social identity. This means that the API connector can be configured to allow or block users from signing up based on their social identity. For example, if a system wants to only allow users who have a Google account to sign up, the API connector can be configured to only allow users with a Google account to complete the sign-up process. Conversely, if a system wants to block users who have a Facebook account from signing up, the API connector can be configured to block users with a Facebook account from completing the sign-up process.

    If you are looking to create the user based on preconditions, then call "Before creating the user" API connector.

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments