Azure b2c Custom Policies Error Message

Miguel Gregório 21 Reputation points
2020-11-28T23:47:43.567+00:00

Hi !

I programmed the b2c customized policies and I am currently defining the error messages. However, the login error message displays a message that does not count in the standard messages: https://learn.microsoft.com/en-us/azure/active-directory-b2c/localization-string-ids

The message is: The username or password provided in the request are invalid.

I used the strarter pack policies (local account).
If the credentials are correct, no problems arises.

how can i change this message?

Thanks!!
43483-capture.png

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,678 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,849 questions
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,336 Reputation points
    2020-11-30T14:55:10.203+00:00

    Hi @Miguel Gregório · Thank you for sharing the required information.

    By investigating into it, I found the error occurs only when the policy is configured with ROPC flow. There is an open ticket regarding this issue with the product team.

    As of now, you can try removing <Item Key="grant_type">password</Item> from <TechnicalProfile Id="login-NonInteractive">. As long as, the first OrchestrationStep in an ROPC user journey is the ClaimsExchange with the ROPC technical profile, it should be absolutely fine to remove it.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

6 additional answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,336 Reputation points
    2020-11-30T07:26:31.03+00:00

    Hi @Miguel Gregório · Thank you for reaching out.

    Below is an example to customize this message:

    <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimsPrincipalDoesNotExist">El nombre de usuario o la contraseña proporcionados en la solicitud no son válidos.</LocalizedString>  
    <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfInvalidPassword">El nombre de usuario o la contraseña proporcionados en la solicitud no son válidos.</LocalizedString>  
    

    With above parameters, in case of both invalid username and invalid password, it will return same message, which is "The username or password provided in the request are invalid." in spanish (you can configure your own language or custom message).

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. Kaveh 1 Reputation point
    2020-11-30T14:10:17.143+00:00

    Hi,

    Just to confirm, I'm facing the same issue. I can localise all other messages but not the one above. after searching the ms. docs, found the error in following link:

    "Error codes: Azure Active Directory B2C": https://learn.microsoft.com/en-us/azure/active-directory-b2c/error-codes

    check for error code: AADB2C90225 in above page.

    I cannot find any way to localise above message.


  3. Wilson de Seabra 1 Reputation point
    2020-11-30T14:27:58.377+00:00

    @AmanpreetSingh-MSFT Same issue here. We're using a custom Technical Profile, and using a custom form on ContentDefinition "api.signuporsigninwithkmsi":

    <UserJourney Id="SignUpOrSignInWithKmsi">
    <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsigninwithkmsi">
    <ClaimsProviderSelections>
    <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
    </ClaimsProviderSelections>
    <ClaimsExchanges>
    <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />
    </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
    <Preconditions>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
    <Value>objectId</Value>
    <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
    </Preconditions>
    <ClaimsExchanges>
    <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignup-Username" />
    </ClaimsExchanges>
    </OrchestrationStep>
    <!-- This step reads any user attributes that we may not have received when in the token. -->
    <OrchestrationStep Order="3" Type="ClaimsExchange">
    <ClaimsExchanges>
    <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
    </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
    </OrchestrationSteps>
    <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>

    Technical profile:

        <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Username">  
          <DisplayName>Local Account Signin</DisplayName>  
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
          <Metadata>  
            <Item Key="SignUpTarget">SignUpWithLogonEmailExchange</Item>  
            <Item Key="setting.operatingMode">Username</Item>  
            <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>  
          </Metadata>  
          <IncludeInSso>false</IncludeInSso>  
          <InputClaims>  
            <InputClaim ClaimTypeReferenceId="signInName" />  
          </InputClaims>  
          <OutputClaims>  
            <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true" />  
            <OutputClaim ClaimTypeReferenceId="password" Required="true" />  
            <OutputClaim ClaimTypeReferenceId="objectId" />  
            <OutputClaim ClaimTypeReferenceId="userPrincipalName" />  
            <OutputClaim ClaimTypeReferenceId="authenticationSource" />  
            <OutputClaim ClaimTypeReferenceId="extension_Role" />  
            <OutputClaim ClaimTypeReferenceId="extension_ClientId" />  
            <OutputClaim ClaimTypeReferenceId="extension_FactoryId" />  
            <OutputClaim ClaimTypeReferenceId="extension_DepartmentId" />  
          </OutputClaims>  
          <ValidationTechnicalProfiles>  
            <ValidationTechnicalProfile ReferenceId="login-NonInteractive" />  
          </ValidationTechnicalProfiles>  
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />  
        </TechnicalProfile>  
    

  4. Wilson de Seabra 1 Reputation point
    2020-11-30T14:39:45.29+00:00

    @AmanpreetSingh-MSFT
    The validation then, here goes:

    <TechnicalProfile Id="login-NonInteractive">
    <DisplayName>Local Account SignIn</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <Metadata>
    <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item>
    <Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item>
    <Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item>
    <Item Key="ProviderName">https://sts.windows.net/</Item>
    <Item Key="METADATA">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>
    <Item Key="authorization_endpoint">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>
    <Item Key="response_types">id_token</Item>
    <Item Key="response_mode">query</Item>
    <Item Key="scope">email openid</Item>
    <Item Key="grant_type">password</Item>
    <!-- Policy Engine Clients -->
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="HttpBinding">POST</Item>
    </Metadata>
    <InputClaims>
    <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />
    <InputClaim ClaimTypeReferenceId="password" Required="true" />
    <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
    <InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
    </InputClaims>
    <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
    <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" />
    <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_Name" />
    <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_Name" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="Name" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
    <OutputClaim ClaimTypeReferenceId="extension_Role" />
    <OutputClaim ClaimTypeReferenceId="extension_ClientId" />
    <OutputClaim ClaimTypeReferenceId="extension_FactoryId" />
    <OutputClaim ClaimTypeReferenceId="extension_DepartmentId" />
    </OutputClaims>
    </TechnicalProfile>

    0 comments No comments