AADB2C90304: User journey went into a bad state. Claims exchange with id 'LocalAccountSigninEmailExchange' could not be found in orchestration step
I have a custom policy based on SocialAndLocal sample.
It adds 2 ClaimsTransformation steps in front. This are steps 3 and 4:
<OrchestrationStep Order="3" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="ForgotPasswordExchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="Social1Exchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="Social2Exchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="AdTesttenantExchange" />
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="Social1Exchange" TechnicalProfileReferenceId="Social1Exchange-OpenIdConnect" />
<ClaimsExchange Id="Social2Exchange" TechnicalProfileReferenceId="Social2Exchange-OpenIdConnect" />
<ClaimsExchange Id="AdTesttenantExchange" TechnicalProfileReferenceId="AdTesttenantExchange-OpenIdConnect" />
<ClaimsExchange Id="ForgotPasswordExchange" TechnicalProfileReferenceId="ForgotPassword" />
</ClaimsExchanges>
</OrchestrationStep>
Fresh logon scenario works fine. But on subsequent logons, if the user used one of the social IDPs they get an error like this:
It makes no sense. Why is B2C looking for LocalAccountSigninEmailExchange in step 4 when it's defined in step 3?
I tried asking MSFT support but so far they were no help (as usual). Maybe I can have more luck here..
I can provide an Application Insights trace if it's useful.
Solution
After over 4 months MSFT support finally came up with a solution.
The error goes away if ValidationClaimsExchangeId element is placed as last element like this:
<OrchestrationStep Order="3" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="ForgotPasswordExchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="Social1Exchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="Social2Exchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="AdTesttenantExchange" />
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
</ClaimsProviderSelections>
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- How do I programmatically clear or update a phone number for Azure AD B2C MFA?
- B2C - How to override sign up now link (custom policy)
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- B2C Sign-up screen shows {OIDC:LoginHint} instead of the login
- During signIn receiving B2C error code ‘AADB2C99059’
- Azure B2C / WPF - Handling a failed MFA verification flow
- Assign B2C User to ExternalAzureAD identity
- AADB2C90304: User journey went into a bad state. Claims exchange with id 'LocalAccountSigninEmailExchange' could not be found in orchestration step
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Sign in to Azure B2C with an OpenID account (Microsoft Work email) but prevent user from signing up
- Azure b2c still authenticated after hitting logout
- Can Azure AD B2C send extension attributes without the extension prefix on a SAML token in a SAML IdP-initiated SSO flow?
- Azure B2C Signup page
- Azure B2C integration not working on app built using pwabuilder for iOS
- Azure AD B2C problem with Self-Service password reset
- use of b2clogin.com when acquiring token with Client Credential Grant Flow
- Azure B2C does not receive script information written in HTML files uploaded to storage
- Azure B2C: Edit Profile via a single page
- Azure b2c cutom policy signin validation profile
- Mendix and Azure Ad B2C AuthRequest does not have assertion consumer service URL
- Azure Active Directory B2C: How to query MS Graph to get a user's alternative security ID?
- Did B2C user creation defaults change regarding password reset?
- Refresh Tokens and MicrosoftIdentityWebApp
- ADB2C Social Log in - what is the difference between alternateSecurityId and userIdentity?
- To allow external client application users to access B2C Integrated client website
- Correlation failed in asp.net core
- Custom attribute as stringCollection on Azure AD B2C
- How to get detailed exception in Azure B2C Custom policy by Correlation ID?
- Authenticating with Azure AD B2C Issue