Sign in with username and reset password with only email for a B2C custom policy
I am using a custom B2C policy. when I register, I insert email, username and password. When I sign in, I sign in with username. When I reset password, I reset password with only email,but just here I have to next error message:
I believe that the email not match with username, but I want reset password only email. What XML tag should I to setting?
MY RESETPASSWORD.XML
<BasePolicy>
<TenantId>XXXXXXXXXX.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<RelyingParty>
<DefaultUserJourney ReferenceId="PasswordChange" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="
{Policy:TenantObjectId}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
MY TRUSTFRAMWORKEXTENTIONS.XML => REGISTER
<TechnicalProfile Id="AAD-UserWriteUsingLogonName">
<Metadata>
<Item Key="Operation">Write</Item>
<Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true" />
</InputClaims>
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" />
<PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="strongAuthenticationEmailAddress" />
<PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
<PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="SomeDefaultDisplayNameValue" />
<!-- <PersistedClaim ClaimTypeReferenceId="CodigoVerificacion" /> -->
<!-- <PersistedClaim ClaimTypeReferenceId="surname" /> -->
</PersistedClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<!-- <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" /> -->
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
<TechnicalProfile Id="LocalAccountSignUpWithLogonName">
<DisplayName>User ID signup</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="IpAddressClaimReferenceId">IpAddress</Item>
<Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
<Item Key="LocalAccountType">Username</Item>
<Item Key="LocalAccountProfile">true</Item>
<Item Key="language.button_continue">Registrase</Item>
<!-- desactivar validar correo -->
<Item Key="EnforceEmailVerification">false</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" Required="true" />
<OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
<OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
<OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
<!-- <OutputClaim ClaimTypeReferenceId="CodigoVerificacion" Required="true" /> -->
<!-- <OutputClaim ClaimTypeReferenceId="newUser" /> -->
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<!-- <OutputClaim ClaimTypeReferenceId="surname" Required="true" /> -->
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonName" />
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
MY TRUSTFRAMWORKEXTENTIONS.XML => FORGOT PASSWORD
nter code here
<!-- Check if the user has selected forgot password herehere hereherehere-->
<OrchestrationStep Order="3" Type="InvokeSubJourney">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>isForgotPassword</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<JourneyList>
<Candidate SubJourneyReferenceId="PasswordReset" />
</JourneyList>
</OrchestrationStep>
<SubJourneys>
<SubJourney Id="PasswordReset" Type="Call">
<OrchestrationSteps>
<!-- Validate user's email address. Run this step only when user resets the password-->
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Collect and persist a new password. Run this step only when user resets the password-->
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
</OrchestrationSteps>
</SubJourney>
</SubJourneys>
When I register, my email does not save. What am I doing wrong?
Solution
If you created the user with a username and didn't capture the email then you can't use the standard password reset because that is based on email.
Look at this policy - it shows how to use username or email.
But beware. Email is preferred for security because you can ask the user to verify the email. The only way to verify username is to use MFA and ask the user e.g. to enter the SMS OTP.
That's why you should always capture the email when you signup with username.
- IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey
- Get Azure Active Directory password expiry date in PowerShell
- Azure Logic App HTTP Request Authentication Scope
- Get all user properties from Microsoft graph
- Get User by email address using Microsoft Graph API
- How do I login to an Azure AD Joined VM using Azure AD Credentials on an Windows Server 2019?
- Azure Permission - needed for creating resource group - RBAC
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens
- Updating App Registration's Configured permission without overwritten existing values
- Azure trusted signing Identity validation process stuck due to inability to upload required documents
- How to debug Bearer error="invalid_token"
- Azure global admin cannot(disabled) add roles under "Access Control(IAM)"
- Access and Modify SharePoint Online list using PnP.Powershell and AccessTokens / Registered App
- How to find the delay when I reset a password using Microsoft's Graph API?
- Outlook calendar don't render with FullCalendar
- Azure Remove User Consent to API
- .NET Core Multi Tenancy authentication
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Microsoft Identity Web: Change Redirect Uri
- Authenticating to Azure application with JMeter
- How do I solve audience (aud) invalid claim error for downstream api service?
- invalid_request: The provided value for the input parameter 'redirect_uri' is not valid
- I am getting an error that OAuth2 Code has already been redeemed
- Generating token for Fabric Rest api using client secret
- AADSTS700016: Application with identifier 'XXX' was not found in the directory 'directory_name'
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- Azure AD:Authenticate Devices
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth