How to give a custom error message if on Forgotten Password Page of Azure B2C?

3
votes

I want to put a custom message on when a user visits the forgotten password page of B2C. When they enter their email address and their "phonenumber" is not found then it should simply display an error message under the "Continue / Cancel" button saying something like "Not registered, contact Support" (Can be over the email text box as well where normal error messages come if its too much to do under it)

I have the user journey and orchestration steps to detect a precondition if phonenumber exists or not. But not sure how to do this custom error message. It is the order 2 of the below journey that needs that step to display that error message and finish (not run further steps)

 <UserJourney Id="PasswordReset">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="PasswordResetUsingEmailAddress" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>phonenumber</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>           
      </Preconditions>  
      <ClaimsExchanges>
        <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddressOTP" />
      </ClaimsExchanges>
    </OrchestrationStep>
..........

I think we can do it by using things like UserMessageIfClaimsPrincipalDoesNotExist and RaiseErrorIfClaimsPrincipalDoesNotExist in cobination as found in the custom profiles. But just looking for a tied up example to put the pieces together.

1
azure-ad-b2c

1 Answers

6
votes

You can build claims transformations to:

  1. Determine whether the phone number claim does exist
  2. Ensure that it does exist and if not then show an error message

You must reference these claims transformations when the user account is retrieved so that the error message is shown in the first step.

To determine whether the phone number claim does exist, you use a DoesClaimExist claims transformation:

<ClaimsTransformation Id="DoesPhoneNumberExist" TransformationMethod="DoesClaimExist">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="phoneNumber" TransformationClaimType="inputClaim" />
  </InputClaims>                    
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="phoneNumberDoesExist" TransformationClaimType="outputClaim" />
  </OutputClaims>
</ClaimsTransformation>

To ensure that the phone number does exist, you use a AssertBooleanClaimIsEqualToValue claims transformation:

<ClaimsTransformation Id="EnsurePhoneNumberDoesExist" TransformationMethod="AssertBooleanClaimIsEqualToValue">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="phoneNumberDoesExist" TransformationClaimType="inputClaim" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="valueToCompareTo" DataType="boolean" Value="true" />
  </InputParameters>
</ClaimsTransformation>

To show the error message, you must invoke the claims transformations from the AAD-UserReadUsingEmailAddress technical profile:

<TechnicalProfile Id="AAD-UserReadUsingEmailAddress">
  ...
  <OutputClaims>
    ...
    <OutputClaim ClaimTypeReferenceId="phoneNumber" />
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="DoesPhoneNumberExist" />
    <OutputClaimsTransformation ReferenceId="EnsurePhoneNumberDoesExist" />
  </OutputClaimsTransformations>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>

And then you must include the UserMessageIfClaimsTransformationBooleanValueIsNotEqual metadata in the LocalAccountDiscoveryUsingEmailAddress technical profile:

<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
  ...
  <Metadata>
    ...
    <Item Key="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">Whoops, you aren't registered, contact Support.</Item>
  </Metadata>
  ...
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>