Azure B2C - OIDC redirects to Reset Password Flow instead of signing a user in

Anonymous
2022-04-15T16:35:28.21+00:00

We have an application that utilizes AzureB2C. The application also has links to partner websites that signs in a user via OIDC. We have the following scenario:

  1. User goes to the website and the website redirects to AzureB2C Sign in page.
  2. The user chooses to Reset his password and goes through the reset password flow. After the user resets his password, he is automatically signed in to our application
  3. The user then clicks a link that should allow him to SSO in via OIDC
  4. Instead of being automatically signed in, the Azure B2C "Reset Password" page is displayed to the user.

As a workaround, the user has to logout and log back in again to be automatically SSO'd in to the partner site.

How do we fix this so that OIDC does not send the user to the Reset Password page?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

Accepted answer
  1. James Hamil 27,221 Reputation points Microsoft Employee Moderator
    2022-04-18T20:18:10.887+00:00

    Hi anonymous user , I saw my colleague Jas answered this question on StackOverflow.

    There was a bug in the setup for the “recommended” password reset flow.

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy#self-service-password-reset-recommended

    In the ForgotPassword technical profile, set UseTechnicalProfileForSessionManagement to SM-Noop.

    Please let me know if you have any questions.

    If this answer helped you please mark it as "Verified" so other users can reference it.

    Thank you,
    James


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.