Spring Boot - Cancel button throws error on Azure AD B2C Policy

Question

I have to consume a custom policy on Azure AD B2C on my Spring Boot App.

When I try to "Cancel" from the Forgot Password policy, it takes me to localhost:8443/login?error.

On that page, it shows me

[access_denied] AADB2C90091: The user has cancelled entering self-asserted information. Correlation ID: XXX-XXX-XXX-XXX-XXX Timestamp: 2022-03-18 18:00:37Z

How do I handle such errors in Spring Boot? What changes do I make in WebSecurity.java, if any?

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
            .antMatchers("/welcome", "/newRegistrationStart", "/logoutSuccess" ).permitAll()
            .antMatchers("/images/*").permitAll()
            .anyRequest().authenticated()
        .and()
            .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/logoutSuccess")
        .and()
            .apply(configurer)
        ;
    }

kavyaS · Answer 1 · 2022-03-21T12:58:42.797

Please check if below references can be worked around:

If the user clicks the ‘Cancel’ button ,Azure AD B2C will return an error response with Error Code -AADB2C90091 .This is expected behavior as the idea is to catch those error codes and redirect to any other page for example to home or index page, The error is handled by the application based on the code sent back.

To mitigate the Error AADB2C90091 you must intercept the error response and prevent the Authentication middleware to throw this error back to page. The user is redirected to the url specified in the redirect_uri but with error. But you can play with HTML template (with JavaScript) and add your own link.

or Try to make use of accessDeniedHandler under exceptionHandling()

    .requestCache()
    .requestCache(myRequestCache)
    .and()       
   .exceptionHandling()
        .accessDeniedHandler(myAccessDeniedHandler)

And in accessdeniedhandler ,you can redirect to required page ex:login page in place as shown in below references.

Please see : spring - AccessDeniedHandler with redirect to login page - Stack Overflow for more details & java - Handle Security exceptions in Spring Boot Resource Server - Stack Overflow

Other references:

The "myAccessDeniedHandler" handle() method isn't being hit in my code, I'm trying to figure out why the print statement isn't being hit — sudhansh_, Mar 25 '22 at 14:49
@sudhansh_ The same here. Did you figure out how to solve this? — sintetico82, May 16 '23 at 12:51

Spring Boot - Cancel button throws error on Azure AD B2C Policy

1 Answers1

Linked