Azure AD B2C Custom Policy: REST technical profile validation doesn't work

1
votes

I have created a custom policy for signup on Azure AD B2C, with the goal of only allowing users whose email is whitelisted to be able to register into the system.

For that, I have configured the custom policy with a REST technical profile.

I followed this guide: https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange?pivots=b2c-custom-policy

The associated web service receives the email of the user that wants to signup and verifies whether that user's email address is part of a list of emails that have been whitelisted. And if it's not, I return a message of the following format:

{
    "userMessage": "Sorry, this email is not whitelisted",
    "status": 409,
    "version": "1.0.0"
}

If the email is part of the whitelist, I return:

{
   "emailValue": "[email protected]",
   "isWhiteListed": true
}

Here's what my user journey looks like (in Signup.xml file):

  <UserJourneys>
    <UserJourney Id="SignUp">
      <OrchestrationSteps>

        <OrchestrationStep Order="1" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- This step reads any user attributes that we may not have received when in the token. -->
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="RESTEmailWhitelist" TechnicalProfileReferenceId="REST-EmailWhitelist" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>
  </UserJourneys>

The problem is that even after returning the 409 error in case the email is not whitelisted, it still successfully gets created in Azure AD B2C.

How do I prevent the user's account from being successfully created?

1
azureazure-active-directoryazure-ad-b2cazure-ad-b2c-custom-policy
The response format you are returning is perfect, but confirm whether your api returning 400/409 as response code. - Saravana Kumar
I am having the same issue. I return 409 with version and userMessage as the documentation suggests but the custom policy doesn't respect it. - Meeting Attender

1 Answers

0
votes

You’re probably running your “AAD-UserwriteUsingEmail” validation technical profile twice, once before the REST call, once after it. Delete the validation tech profile in your base file in the LocalAccountSignUpWithLogonEmail technical profile. Then put the validation tech profiles (AAD-userWriteUsingEmail and REST API) in your extension file, in the LocalAccountSignUpWithLogonEmail technical profile, in the correct order (REST then Write).