How to stop user creation in Azure AD B2C sigup flow with custom validation

2
votes

I want to validate user email against a custom logic in a Azure AD B2C custom signup flow. If the validation fails the user should not be created and an error message to provide a new email should be shown.

I followed this example: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-validation-custom

Here is my RESTful API claims exchange declaration:

<ClaimsProvider>
      <DisplayName>REST APIs Check User Email</DisplayName>
      <TechnicalProfiles>
          <TechnicalProfile Id="APIFunctionsCheckUserEmail">
              <DisplayName>Check user email</DisplayName>
              <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
              <Metadata>
                  <Item Key="ServiceUrl">https://my.service.net/api/validate</Item>
                  <Item Key="AuthenticationType">None</Item>
                  <Item Key="SendClaimsIn">Body</Item>
                  <Item Key="AllowInsecureAuthInProduction">true</Item>
              </Metadata>
              <InputClaims>
                  <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="userEmail" Required="true" />
              </InputClaims>
              <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
          </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

I included in the LocalAccountSignUpWithLogonEmail technical profile my LocalAccountSignUpWithLogonEmail profile as a ValidationTechnicalProfile.

<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
          ...
          <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" ContinueOnError="false" />
            <ValidationTechnicalProfile ReferenceId="APIFunctionsCheckUserEmail" ContinueOnError="false" ContinueOnSuccess="true" />
          </ValidationTechnicalProfiles>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>

If validation is successful everything is fine. If it's not the custom error message is show but the user is already created. I tried to put the APIFunctionsCheckUserEmail as a first ValidationTechnicalProfile.

<ValidationTechnicalProfiles>
   <ValidationTechnicalProfile ReferenceId="APIFunctionsCheckUserEmail" ContinueOnError="false" ContinueOnSuccess="true" />
   <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" ContinueOnError="false" />
</ValidationTechnicalProfiles>

Now on error the message is shown and the user is not created, but on success instead of sending the claims to the return url this error appears - "A user with the specified ID already exists. Please choose a different one."

1
azure-ad-b2c

1 Answers

0
votes

Create an attribute that is returned from the API as an output claim.

This has a value e.g. T / F.

Then in your user journey have a precondition ("ClaimsEquals") on the user create. If the flag is false (i.e. validation failed) skip the orchestration step.