1

So I am currently using invite policy of azure b2c by following the link https://github.com/azure-ad-b2c/samples/tree/master/policies/invite and was able to successfully generate a signup link using id_token_hint. Instead of sending a link through email we have used an API to send the link to angular app and then trigger the link on click of sign up button. Even though the flow is working fine technically, there are two enhancement which our team is thinking to implement to make the UX better.

  1. The first one is that after successful signup the redirect uri that we have set is triggered and the browser redirects to it but since that page is doing some API calls this is protected and the signin user flow of our application is triggered. If we do signup using the userflow provided by b2c itself we got logged in as well in the same flow but in our case of signup the signin is extra step which my team is thinking to remove. Is there any way we can do that? I have read since the flow is not initiated by our website, the token returned by invite signup is being ignored. So is there a way around this?

    My Signup URL: Signup url with id_token_hint

    Token is even captured by jwt.ms but angular app does not consider it. token after signup screen captured by jwt.ms

  2. Secondly is there any way to enable email verification just like in default signup flow of b2c where a otp is sent to the email before moving forward? According to microsoft documentation you can do this by updating this piece of code under metadata in the policy file which I have shown below. It was 'False' by default so I did change it to 'True' but the verification flow is still not enabled. If I missing any thing here?

<Item Key="EnforceEmailVerification">True</Item>

Edit: Since you have asked how I have added authentication in my API, I have added a picture below. This is working fine for the normal signin flow. Also meanwhile I will go through the link you have provided and check if it solves my problem.

Config in my API: Config in my backend API Startup: In startup file

Then I have used AddMicrosoftIdentityWebApi by specifying jwt options and attached config.

Also I have attached the decoded tokens in both the cases. The kid is different also the signup token has one more field x5t.

Token of normal signin flow: Signin flow token Token of invited email signup: Signup flow token

Almost all the other fields are similar in these tokens.

Moiz Zaveri
  • 11
  • 2

1 Answers1

1

  1. I think you should consider reworking your API so that it returns an id_token (not a link). Then the angular app should call the API and initiate the B2C_1A_signup_invitation flow from angular app with passing the received id_token.

  2. Try to change 85th line in github example from <OutputClaim ClaimTypeReferenceId="ReadOnlyEmail" Required="true" /> to <OutputClaim ClaimTypeReferenceId="ReadOnlyEmail" PartnerClaimType="Verified.Email" Required="true" />. And also set EnforceEmailVerification to True.

Anton
  • 111
  • 2
  • Thanks Anton! Just followed your solution for the email code and it worked. For the first part I think I am in the right direction and the redirection works as well skipping the sign in flow. But now the token I recieve here is not authenticating with my API. The sign in flow one still works but when I pass this token I get **IDX10501: Signature validation failed. Unable to match key: kid: 'System.String'.** – Moiz Zaveri Jun 24 '21 at 13:39
  • I have noticed that the key id I am getting in normal sign in flow and from the sign up flow are different with the sign up flow has x 509 fingerprint as well in the token. – Moiz Zaveri Jun 24 '21 at 13:45
  • Can you show how did you setup authentication in your API? Also, try to follow solution in this thread https://stackoverflow.com/questions/58856735/idx10501-signature-validation-failed-unable-to-match-keys, probably it will help. – Anton Jun 25 '21 at 12:26
  • I will go through the thread you have mentioned. Also after the edit tag I have attached my API authentication setup and also the decoded tokens in both cases. – Moiz Zaveri Jun 28 '21 at 09:59