1

I have email field in my MVC application. Once user given email-Id we are validating and have to pass the same email-id to the Azure B2C SignUp policy. For this I have created custom policy. Can any body help me how I can achieve this.

This is my mvc registration page filed

This is my Azure B2C sign up page filed

Syfer
  • 4,262
  • 3
  • 20
  • 37
Shaik Abdul Khader Basha
  • 21
  • 2

3 Answers3

2

See another answer at here for how this can be implemented using a custom policy.

It requires the email address to be passed as an input claim from the relying party application to the custom policy in a JWT that is signed with the client secret of the relying party application.

A working sample of this is here.

Chris Padgett
  • 14,186
  • 1
  • 15
  • 28
  • 1
    Hi Chris, I did the same walk through you provided. But no luck. It seems adding a new user into B2C not pre-populating the email. Will Microsoft accept to pass input claims from external application to B2C custom policies? – Shaik Abdul Khader Basha Oct 23 '18 at 13:22
2

I was able to do this using a custom B2C policy.

I had a predefined extension attribute called registrationNumber that I wanted to pre-populate on my SignUp policy. Here is how to create a custom attribute.

I added registrationNumber as a ContentDefinitionParameter on the SignUp Policy.

  <ContentDefinitionParameters>
    <Parameter Name="registrationNumber">{OAUTH-KV:registrationNumber}</Parameter>
  </ContentDefinitionParameters>

Still in the SignUp Policy, I added an output claim for the extension attribute.

<OutputClaim ClaimTypeReferenceId="extension_RegistrationNumber" AlwaysUseDefaultValue="true" DefaultValue="{OAUTH-KV:registrationNumber}"/>

Then, in my MVC app I add the parameter on redirect. OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification notification)

notification.ProtocolMessage.Parameters.Add("registrationNumber", registrationNumber);
Drew Fleming
  • 327
  • 4
  • 7
1

EDIT: As Chris Padgett points out, this is only applicable for pre-populating the sign-in email address, but the need was for sign-up. Chris's answer is better for sign-up.

If I understand correctly, your MVC application is the relying party that is redirecting to B2C for authentication and you want to prepoulate the email address box in B2C with the email address you collected in the MVC application.

The mechanism you are looking for is the OpenID Connect login_hint query string parameter in the authentication request that is sent to the B2C autorization endpoint.

B2C supports this parameter and provides instructions on how to read the login_hint with custom policy.

During a sign-in user journey, a relying party application may target a specific user or domain name. When targeting a user, an application can specify, in the authorization request, the login_hint query parameter with the user sign-in name. Azure AD B2C automatically populates the sign-in name, while the user only needs to provide the password.

If you are using a custom policy, override the SelfAsserted-LocalAccountSignin-Email technical profile. In the section, set the DefaultValue of the signInName claim to {OIDC:LoginHint}. The {OIDC:LoginHint} variable contains the value of the login_hint parameter. Azure AD B2C reads the value of the signInName claim and pre-populates the signInName textbox.

I don't know exactly how your application is built, but I'll assume that your MVC application is similar to the TaskWebApp described in Quickstart: Set up sign-in for an ASP.NET application using Azure Active Directory B2C. If this is the case you need to make two changes.

First, in your AccountController SignUpSignIn() method (or wherever it is you have the validated email address and are ready to redirect to B2C), you need to add the email address to the OWIN context.

public void SignUpSignIn()
{
    if (!Request.IsAuthenticated)
    {
        var validatedEmailId = "emailaddress@example.com"; //read from form
        HttpContext.GetOwinContext().Set("validatedEmail", validatedEmailId);
        HttpContext.GetOwinContext().Authentication.Challenge();
        return;
    }
    Response.Redirect("/");
}

Then in your Startup.Auth.cs, you need to modify the OnRedirectToIdentityProvider() callback to read the email address from the environment and use that as the LoginHint value.

private Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
    var policy = notification.OwinContext.Get<string>("Policy");
    if (!string.IsNullOrEmpty(policy) && !policy.Equals(DefaultPolicy))
    {
        notification.ProtocolMessage.Scope = OpenIdConnectScopes.OpenId;
        notification.ProtocolMessage.ResponseType = OpenIdConnectResponseTypes.IdToken;
        notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(DefaultPolicy.ToLower(), policy.ToLower());
    }
    else //default, sign-in/sign-up 
    {
        notification.ProtocolMessage.LoginHint = 
            notification.OwinContext.Get<string>("validatedEmail");
    }
    return Task.FromResult(0);
}
Mike H
  • 166
  • 1
  • 9
  • 1
    I believe `login_hint` is only applied to the sign-in name field on the sign-in page. :( – Chris Padgett Oct 12 '18 at 01:32
  • Oh, but this is a sign-UP, not sign-in, so I can see where the standard login_hint may not apply. – Mike H Oct 12 '18 at 13:59
  • Hi Mike, I did the same but SignUp not accepting the LoginHint value as pre populating the email address. Pls suggest is there any other way to do this. – Shaik Abdul Khader Basha Oct 23 '18 at 13:24
  • Right, I misunderstood your original question. This only works on a sign-in policy, as Chris noted. For sign-UP, Chris' answer should be what you are looking for, but if that's not working, you might want to try App Insights to troubleshoot per https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-troubleshoot-custom. – Mike H Oct 23 '18 at 14:55