question

DaniloPopovikj-3387 avatar image
0 Votes"
DaniloPopovikj-3387 asked ManishPandit-9697 commented

AzureAD B2C Sign In Custom Policy returns "Invalid username or password."

Using the SignInAndSignUp custom policy, I can sign up and reset password successfully, I am logged in after Sign Up, but for some reason I can't Sign In.

I have the ApplicationIds set in TrustFrameworkExtensions.xml

Here is some data I got from AzureAD B2C VS Code Application Insights Extension:

Exceptions: Invalid username or password.
Validation technical profiles: login-NonInteractive

{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Invalid username or password.",
"Data": {
"IsPolicySpecificError": false
}
}
}

login-NonInteractive in TrustFrameworkBase.xml:

 <ClaimsProvider>
       <DisplayName>Local Account SignIn</DisplayName>
       <TechnicalProfiles>
         <TechnicalProfile Id="login-NonInteractive">
           <DisplayName>Local Account SignIn</DisplayName>
           <Protocol Name="OpenIdConnect" />
           <Metadata>
             <Item Key="ProviderName">https://sts.windows.net/</Item>
             <Item Key="METADATA">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>
             <Item Key="authorization_endpoint">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>
             <Item Key="response_types">id_token</Item>
             <Item Key="response_mode">query</Item>
             <Item Key="scope">email openid</Item>
             <!-- <Item Key="grant_type">password</Item> -->
    
             <!-- Policy Engine Clients -->
             <Item Key="UsePolicyInRedirectUri">false</Item>
             <Item Key="HttpBinding">POST</Item>
           </Metadata>
           <InputClaims>
             <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />
             <InputClaim ClaimTypeReferenceId="password" Required="true" />
             <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
             <InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
             <InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
           </InputClaims>
           <OutputClaims>
             <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
             <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" />
             <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
             <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
             <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
           </OutputClaims>
         </TechnicalProfile>
       </TechnicalProfiles>
     </ClaimsProvider>

login-NonInteractive in TrustFrameworkExtensions.xml:

 <ClaimsProvider>
       <DisplayName>Local Account SignIn</DisplayName>
       <TechnicalProfiles>
          <TechnicalProfile Id="login-NonInteractive">
           <Metadata>
             <Item Key="client_id">I have it set, but removed for question</Item>
             <Item Key="IdTokenAudience">I have it set, but removed for question</Item>
           </Metadata>
           <InputClaims>
             <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="I have it set, but removed for question" />
             <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="I have it set, but removed for question" />
           </InputClaims>
         </TechnicalProfile>
       </TechnicalProfiles>
     </ClaimsProvider>



Any help?








azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ManishPandit-9697 commented

Hi @DaniloPopovikj-3387 • Thank you for reaching out.

Could you please double check if ProxyIdentityExperienceFrameworkAppId and IdentityExperienceFrameworkAppId are added to the login-NonInteractive technical profile, as mentioned below, and not vise-versa by mistake.

152871-image.png

Also make sure, in the B2C tenant, navigate to Azure Active Directory > App Registrations > Search for ProxyIdentityExperienceFramework app > API permissions, below permission is added:

152891-image.png

If this permission is not added, sign-up works but sign-in fails with "Invalid username or password." error and in Azure AD Sign-in Activities, below error is logged:

Application X doesn't have permission to access application Y or the permission has been revoked. Or The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. Or The user or administrator has not consented to use the application with ID X. Send an authorization request to your tenant admin to act on behalf of the App : Y for Resource : Z.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (22.3 KiB)
image.png (46.3 KiB)
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the answer!

Unfortunately, it still behaves the same, I Triple checked the ProxyIdentityExperienceFrameworkAppId and IdentityExperienceFrameworkAppId in the Extensions xml, and they are good.

I checked the permission for user_impersonation


152874-image.png

And it looks okay to me. Anything else in mind I can check that might be causing this?



0 Votes 0 ·
image.png (20.3 KiB)

@DaniloPopovikj-3387 • Do you see any failure events in Azure AD Sign-in activities, corresponding to "Invalid username or password." error?

0 Votes 0 ·

Nope, it shows as success, weird..

153009-image.png


0 Votes 0 ·
image.png (3.0 KiB)
Show more comments