B2C Tenant Login issue

DatNC 0 Reputation points
2024-10-21T17:42:09.3766667+00:00

Hi all,

I'm facing an issue with B2C Tenant Login when I access directly to the old login B2C Tenant page ( "/my-page/b2c_1a_signup_signin/oath2/v2.0/authorize?client_id=...&scope=..." which has expired value of client-request-id, code_challange and nonce. i think ) instead of accessing from my project Home Page. Because of the value of client-request-id, code_challange and nonce were expired so when I enter verified code, Azure dont know where to redirect when the verification is finish. And I have found a solution to solve it, that is to clear the cookies when ever the issue is occure. Does it has any property to do that inside the B2C custom policy?

Thank you.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
912 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 25,006 Reputation points Microsoft Employee
    2024-10-24T18:10:37.09+00:00

    Hi @DatNC , unfortunately, Azure AD B2C doesn't provide a built-in policy configuration to automatically clear cookies when this happens. But there are several strategies you can try to mitigate this issue.

    • Instead of relying on users to access the old login page directly, you can make sure that they always navigate through your project’s Home Page. You can implement a mechanism that checks if the user is accessing the login page directly and then redirects them to the Home Page to initiate the login process correctly.
    • You can create a custom page to handle errors related to authentication. This custom page can detect specific error codes and then perform actions such as clearing cookies and redirecting users to the Home Page.
    • Consider reducing the lifetime of your tokens so that they expire more quickly. This won't directly solve the problem but may reduce the likelihood of running into expired tokens.
    • You can inject JavaScript to clear specific cookies when certain error conditions are detected.

    Here is a sample JavaScript snippet:

    <script>
  function clearCookies() {
    document.cookie.split(";").forEach(function(c) { 
      document.cookie = c.replace(/^ +/, "").replace(/=.*/, "=;expires=" + new Date().toUTCString() + ";path=/"); 
    });
  }

  // Call this function based on your specific error detection logic
  clearCookies();
</script>

    If you decide to implement custom error handling or JavaScript injection, you’ll need to update your B2C custom policies. For example:

    <TrustFrameworkPolicy ...>
  <BuildingBlocks>
    <ContentDefinitions>
      <ContentDefinition Id="api.error">
        <LoadUri>https://your-custom-error-page-url</LoadUri>
        <RecoveryUri>...</RecoveryUri>
      </ContentDefinition>
    </ContentDefinitions>
  </BuildingBlocks>
</TrustFrameworkPolicy>

    In the LoadUri, you can point to a custom HTML page where you include the JavaScript to clear cookies.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.