Using ADB2C how to force credential re-validation for specific application pages

0
votes

I have an application where certain pages with extremely sensitive data require the user to re-validate their credentials before use.

The users are already authenticated using azure adb2c.

I don't want to log the user out when they reach this page, but need them to re-enter their credentials to access functionality on the page (eg like you might see in online banking apps).

I will know who the user is, so need to ensure the entered credentials match the logged in user.

One approach I can see is to open a new browser window, navigate to b2c sign in, and (presumably possible) apply a policy that prevents 'remember me' behaviour. I could then extract the signed-in identity from that window and check it against my real logged-in user.

However that feels overly clunky and there should be an elegant native way to achieve this. I can't find anything suggesting this is possible in adb2c docs - is there a recommended approach to solving this challenge?

Thanks!

1
azure-ad-b2c

1 Answers

0
votes

You can try to achieve this by creating Custom Policies in AD B2C.

The key of sending data to Azure AD B2C custom policy is to package the data into a JWT token as claims (id_token_hint). In this case, we can send the user's email address to Azure B2C Policy. Sending JWT token requires to host the necessary metadata endpoints required to use the "id_token_hint" parameter in Azure AD B2C. You can refer to Define an ID token hint technical profile in an Azure Active Directory B2C custom policy.

You can refer to this sample of Magic Link Custom Policy published by PG.