I am trying to store the hashed password in password reset flow. It is giving me Internal Server Error in ADB2C Azure custom policy for password reset

Question

I am using azure adb2c custom policies , my requirement is to block the user from using the last 10 password. So i am trying to store the password using password reset custom policies . I took the reference from [https://github.com/azure-ad-b2c/samples/tree/master/policies/password-history][1] . I am getting internal server error .

Exception Message:An internal error has occurred., CorrelationID:ce643089-eec8-496f-96b6-275fa705c0dd

<TrustFrameworkPolicy xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySchemaVersion="0.3.0.0" TenantId="XXX.onmicrosoft.com" PolicyId="B2C_1A_HISTORYResetPassword" DeploymentMode="Development" UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights" PublicPolicyUri="http://XXX.onmicrosoft.com/B2C_1A_HISTORYResetPassword">
<BasePolicy>
<TenantId>XXX.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="IsPasswordValid">
<DisplayName>password is valid</DisplayName>
<DataType>boolean</DataType>
<UserHelpText>password is not one of past 5 passwords</UserHelpText>
</ClaimType>
<ClaimType Id="userPassHash">
<DisplayName>request JSON body for user password hash info</DisplayName>
<DataType>string</DataType>
<UserHelpText>request JSON body for user password hash info</UserHelpText>
</ClaimType>
<ClaimType Id="hashedPassword">
<DisplayName>Hashed password</DisplayName>
<DataType>string</DataType>
</ClaimType>
</ClaimsSchema>
<ClaimsTransformations>
<ClaimsTransformation Id="HashPasswordWithEmail" TransformationMethod="Hash">
<InputClaims>
<InputClaim ClaimTypeReferenceId="newPassword" TransformationClaimType="plaintext" />
<InputClaim ClaimTypeReferenceId="email" TransformationClaimType="salt" />
</InputClaims>
<InputParameters>
<InputParameter Id="randomizerSecret" DataType="string" Value="B2C_1A_AccountTransformSecret" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="hashedPassword" TransformationClaimType="hash" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="GeneratePassHashBody" TransformationMethod="GenerateJson">
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectid" TransformationClaimType="username" />
<InputClaim ClaimTypeReferenceId="hashedPassword" TransformationClaimType="hash" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="userPassHash" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
</ClaimsTransformations>
</BuildingBlocks>
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Password reset overrides</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
<Metadata>
<Item Key="EnforceEmailVerification">false</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Technical Profiles For Checking Password History</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="ValidatePasswordHash">
<DisplayName>Validate that new password is not one of past 5 passwords</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<!--Sample: update the ServiceUrl with the Url to your password hash service, e.g. passhash.azurewebsites.net -->
<Item Key="ServiceUrl">https://XXX.azurewebsites.net/api/ValidatePasswordHash?code=9AWILE36B_BAJJtRrnX0ASyHMIbyK_ZFgoxiUR1OCBxyAzFugayEsA==</Item>
<Item Key="AuthenticationType">Basic</Item>
<Item Key="AllowInsecureAuthInProduction">true</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="UserMessageIfDnsResolutionFailed">UserMessageIfRequestTimeout121212</Item>
<Item Key="UserMessageIfRequestTimeout">teset1</Item>
<Item Key="UserMessageIfCircuitOpen">true</Item>
<Item Key="ClaimUsedForRequestPayload">userPassHash</Item>
<Item Key="DefaultUserMessageIfRequestFailed">Cannot process your request right now, please try again later.</Item>
</Metadata>
<!-- <CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_MyClientId" />
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_MyClientSecret" />
</CryptographicKeys> -->
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="HashPasswordWithEmail" />
<InputClaimsTransformation ReferenceId="GeneratePassHashBody" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="userPassHash" />
</InputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>AAD Overrides</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="LocalAccountWritePasswordUsingObjectId-ForHistory">
<DisplayName>Change password (username)</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="IsPasswordValid" DefaultValue="true" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="ValidatePasswordHash" />
<ValidationTechnicalProfile ReferenceId="AAD-UserWritePasswordUsingObjectId" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
<UserJourney Id="PasswordResetWithHistoryCheck">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId-ForHistory" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
</UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId="PasswordResetWithHistoryCheck" />
<UserJourneyBehaviors>
<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="94701752-973e-4316-afd7-9f2fdb96c028" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
<OutputClaim ClaimTypeReferenceId="IsPasswordValid" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
</TrustFrameworkPolicy>

Answer 1

Hello @Mithun S , please follow the steps documented in Troubleshooting with Application Insights and filter your logs using the correlation ID ce643089-eec8-496f-96b6-275fa705c0dd or any other obtained during the error. You will need VS Code and the Azure AD B2C extension. If the error occurs during the REST claims exchange, then simply debug your API using a test password.

For additional debugging feel free to paste your app insights logs minus any PII (Personally identifiable information) information.

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.