Azure B2C Sample Custom Policy, When SignIng In Shows 'Your password is incorrect'

2
votes

I have followed the Getting Started workflow here: https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-get-started-custom

I followed it from scratch, twice, and have both times when trying to sign in with the sign-in & sign-up custom policy I am prompted with 'Your password is incorrect'. How can I properly authenticate?

Things that are working:

  • When I do signup the user journey completes, and the user is added to the directory
  • Using built in policies I can sign in and sign up
  • Using built in policies I can sign in with a user who I used the custom policy to sign up for

Using Application Insights I can see the following errors. (some sanitation applied)

"ValidationRequest":{  
           "ContentType":"Unspecified",
           "Created":"2017-10-06T17:19:34.3995426Z",
           "Key":"ValidationRequest",
           "Persistent":true,
           "Value":"client_id=55555555-5555-5555-5555-555555555555&resource=cccccccc-cccc-cccc-cccc-cccccccccccc&username=MYUSERNAME&password=PASSWORDIENTEREDONSCREEN&grant_type=password&scope=openid&nca=1;1;login-NonInteractive;False"
        },

"ValidationResponse":{  
           "ContentType":"Json",
           "Created":"2017-10-06T17:19:34.3995426Z",
           "Key":"ValidationResponse",
           "Persistent":true,
           "Value":"{\"error\":\"invalid_client\",\"error_description\":\"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.\\r\\nTrace ID: 55555555-cccc-cccc-cccc-555555555555\\r\\nCorrelation ID: 77777777-7777-7777-7777-777777777777\\r\\nTimestamp: 2017-10-06 17:19:33Z\",\"error_codes\":[70002],\"timestamp\":\"2017-10-06 17:19:33Z\",\"trace_id\":\"55555555-cccc-cccc-cccc-555555555555\",\"correlation_id\":\"77777777-7777-7777-7777-777777777777\"};1;login-NonInteractive;False"
        },

The important bit seems to be:

"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion"

Also later it says:

"Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown."

Some things I've double checked:

  • In my Identity Experience Framework > Policy Keys, I have the following 4 keys after following the steps in the guide:
    • B2C_1A_AdminClientEncryptionKeyContainer
    • B2C_1A_FacebookSecret
    • B2C_1A_TokenEncryptionKeyContainer
    • B2C_1A_TokenSigningKeyContainer
  • In the regular AAD > App registrations, I have the applications:
    • IdentityExperienceFramework
    • ProxyIdentityExperienceFramework
  • And ProxyIdentityExperienceFramework has delegated Access IdentityExperienceFramework permissions from IdentityExperienceFramework.
    • And I've hit Grant permissions for both apps.
  • Both application Ids were properly substituted in the TrustFrameworkExtensions.xml, two places each

Any help is much appreciated. Thank you.

1
azureazure-ad-b2c
it should work. Can you keenly check all the steps for both Create the IdentityExperienceFramework application and Create the ProxyIdentityExperienceFramework application you should create two apps at Azure Active Directory blade of B2C tenantRamakrishna
Is "55555555-5555-5555-5555-555555555555" the client identifier of the "ProxyIdentityExperienceFramework" application? Can you please paste your TrustFrameworkExtensions.xml file?Chris Padgett

1 Answers

5
votes

Your ProxyIdentityExperienceFramework app was incorrectly created as a Web App/API. You need to recreate it as a Native app. Make sure you don't forget to update the client_ids in your base policy to the new ProxyIdentityExperienceFramework accordingly.

The error AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion occurs when you try to obtain a token using a client_id for an application that was registered as a Web App/API but are not providing the required client_secret. In the case of Native app, there is no client_secret required.

When sign in, Azure AD B2C's trust framework (the thing that executes custom policies) internally attempts to obtain a token for the IdentityExperienceFramework app (Web API) using the ProxyIdentityExperienceFramework app (Native app). If you incorrectly create the latter as a Web App/API, B2C's policy engine will fail to obtain the token which manifests itself as a Your password is incorrect error message to the user.