Azure AD B2C self service password reset link doesn't work [closed]

azure-ad-b2c

There are two different mechanisms for Password Reset in Azure AD B2C:

  1. Sign-in Policy: No work required by the application, clicking on "I forgot my password" redirects the user automatically to a generic Microsoft-branded password reset page.

  2. Sign-up/sign-in Policy: This requires the application to do some extra work. Clicking on "I forgot my password" redirects the user back to the application with an error code. The application needs to detect that the error code in the request and then further redirect the user to the Azure AD B2C Password Reset Policy. The Password reset policy can be customized extensively.

Going into more details as to how to implement the second approach, here's the code that hooks up into the AuthenticationFailed notification and redirects to your own PasswordReset controller action, from the B2C Sign-up/Sign-in quickstart, Startup.Auth.cs

private Task AuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
    notification.HandleResponse();

    if (notification.ProtocolMessage.ErrorDescription != null && notification.ProtocolMessage.ErrorDescription.Contains("AADB2C90118"))
    {
        // If the user clicked the reset password link, redirect to the reset password route
        notification.Response.Redirect("/Account/ResetPassword");
    }
    else if (notification.Exception.Message == "access_denied")
    {
        // If the user canceled the sign in, redirect back to the home page
        notification.Response.Redirect("/");
    }
    else
    {
        notification.Response.Redirect("/Home/Error?message=" + notification.Exception.Message);
    }

    return Task.FromResult(0);
}

And here's the code PasswordReset controller action that redirects the user to the Password Reset B2C policy, from the same B2C Sign-up/Sign-in quickstart, Account Controller

public void ResetPassword()
{
    if (!Request.IsAuthenticated)
    {
        HttpContext.GetOwinContext().Authentication.Challenge(
        new AuthenticationProperties() { RedirectUri = "/" }, Startup.PasswordResetPolicyId);
    }
}

Just for sake of completeness, make sure you checkout the full guide/overview of setting up an Azure AD B2C Sign-up/Sign-in Policy


I've been experiencing the same problem, and came up a JavaScript workaround to point the "Forget Password" url directly to the "reset password" policy without changing the code in your connected web app (web/mobile/whatever)

1. I assume you have 3 standard policies like screenshot below:

Standard User flows

2. Go to you "Signup and sign in policy" and enable Javascript

a. click you "Signup and sign in policy" -> Properties

b. Enable JavaScript as per screenshot below

Enable Javascript

3. Following that Microsoft article, it will guide you in how to create a custom UI for your Sign in/Sign up pages

a. Download the ready made template (Ocean Blue) for sing in/sign up (By the way it looks much better than the built in classic old one; where you can change the background and logo too)

https://github.com/Azure-Samples/Azure-AD-B2C-page-templates/tree/master/ocean_blue

There you will find other templates too.

b. Upload this folder as it is to any hosting or Azure blob storage

c. Just make sure you enable CORS for your hosting or Azure (easy way through Azure Storage Explorer)

4. Write the Javascript required.

  • Point your Sign-in/Sign-up policy to your template html as per screenenter image description here
  • go to your policy and Run workflow, if you see it working go to next step

  • Add the required Javascript; On link clicked, we are taking the current url which is the signsignup, replace the policy name by the reset policy, make sure you put here your policy names (not mine), or leave it as the instructions if you are using the same policy names

    <script>
$(function() {
    console.log( "ready!" );

    //Change Forget Password Text
    $('#forgotPassword').html('Reset My Password');


    //Handle Forget password click  (fixing ADB2C error)
    $( "#forgotPassword" ).click(function(e) {
        e.preventDefault();


        var oldUrl = window.location.href;
        var newUrl = oldUrl.replace('B2C_1_signupsignin1','B2C_1_passwordreset1');

        window.location.href = newUrl;

    });

  });

N.B: Let me know if I have missed any step, I tried to be elaborating as much as possible.

Related

default maven compiler setting
How to listen for changes to the title element?
Why are parenthesis used to wrap a javascript function call? [duplicate]
Display toolbar for Google Maps marker automatically
Click Command Line Interfaces: Make options required if other optional option is unset
Testing initialization safety of final fields
How can I avoid "duplicate symbol" errors in xcode with shared static libraries?
Are exceptions really for exceptional errors? [closed]
How do you get the current DNS servers for Android?
Converting Between Local Times and GMT/UTC in C/C++
Waiting for multiple asynchronous download tasks
Installing OpenCV on Windows 7 for Python 2.7