We are migrating our user base to authenticating via Azure B2C. I am following the example set out in the starter packs for password changing in Azure B2C (https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/scenarios/password-change).
The process at the moment with our app is like this:
- You click "change password" in our app (after you have already logged in via B2C) and you are redirected to our change password policy in B2C
- You are presented with a screen to enter you credentials (for us this is username and password)
- Upon successfully entering those credentials you are presented with the option to enter your "old password" and the "new password" with an extra text-box to confirm the new password
- You are redirected back to the app
My problem is step two - you have to enter your credentials despite a) having already logged in via Azure B2C and b) on step three you have to enter your old password anyway.
How can I get the custom policy to "know" which user the password request is for and simply use the entering of the "old password" claim as verification enough of their identity. In my app I know the "ObjectId" claim, is there a way I can just "pass that in" to the change password page via a querystring parameter and have it skip step two?
prompt=login? If so, then this invalidates the SSO session, which otherwise suppresses the login prompt at step 2. – Chris Padgett