A call center uses Azure AD B2C to validate a customer phoning in. To do this call center takes three characters from the password and ask the customer calling in to provide the three characters plus some other known facts as part of the authentication process.
With the Identity Experience Framework, which underlies Azure Active Directory B2C (Azure AD B2C) custom policy, you can integrate with a RESTful API in a user journey. This sample .Net core web API, demonstrate how to extract the three characters of the password, by calling Restful technical profile in a validation technical profile. During sign-up or password reset, the policy calls a REST API to HASH three letters of the password and store the values in the user profile.
The LocalAccountSignUpWithLogonEmail and LocalAccountWritePasswordUsingObjectId technical profiles are configured to add the REST-HashPassword validation technical profile (before storing the password to the user account in Azure AD B2C).
The validation technical profile sends the newPassword claim to the REST API. The REST API extracts the first three characters of the password, the second three characters, and the third three characters, then HASH the values extraced and returns them back to Azure AD B2C.
The AAD-UserWriteUsingLogonEmail (sign-up) and AAD-UserWritePasswordUsingObjectId (password reset) technical profile are configured to store the passwords fragments in HASH format into extension attribute that can be later use to mach value provided during the call to the call center.
- Find and replace the
tenant-namewith your own tenant name. - In
login-NonInteractivetechnical profile, set the value ofclient_idandresource_idinput claims, with your ProxyIdentityExperienceFramework application Id. For more information, see Get started with custom policies in Azure Active Directory B2C. - In
AAD-Commontechnical profile, update the objectId and appId with your own values. For more information, see Use custom attributes in a custom profile edit policy. - Deploy the REST API to a public web server, and change the
ServiceUrlmetadata of theREST-HashPasswordtechnical profile.
The custom REST API source code for .Net core is available under the source code folder.
This sample policy is based on SocialAndLocalAccounts starter pack. All changes are marked with Demo: comment inside the policy XML files. Make the necessary changes in the Demo action required sections.
In the TrustFrameworkBase.xml file, we move the validation technical profiles of the LocalAccountSignUpWithLogonEmail (sign-up) and LocalAccountWritePasswordUsingObjectId (password reset) technical profiles to the extension polity.
- The
ClaimsSchemasection contains the claims to store the password fragments in HASH format. Those claims must start withextension_prefix. - Customized the
LocalAccountSignUpWithLogonEmail(sign-up) andLocalAccountWritePasswordUsingObjectId(password reset) technical profile to call the REST-HashPassword validation technical profile. - The
REST-HashPasswordtechnical profile is a custom Restful service to HASH the password. This technical profile sends the password as input claim and return the passwords in HASH format, including the first three letters, second three letters, and third three letters as output claims. The input and output claims map the name use in the policy with the name defined in the REST API code . - The
AAD-Commontechnical profile is configured to support extension attributes - The
AAD-UserWriteUsingLogonEmail(sign-up) andAAD-UserWritePasswordUsingObjectId(password reset) technical profile are configured to store the passwords fragments in HASH format.
Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [azure-ad-b2c]. If you find a bug in the sample, please raise the issue on GitHub Issues. To provide product feedback, visit the Azure Active Directory B2C Feedback page.