Cannot edit Azure AD B2C profile in 1-5-B2C project; reauthenticates and redirects to index

[dzielin]

*This may be related to issue #530. I can see how it might look like the account controller is missing, because the button that should ordinarily link to /MicrosoftIdentity/Account/EditProfile according to the asp-* helpers, is instead (eventually) ending up at /. But my issue is definitely not due to AccountController itself being missing.

When using /1-WebApp-OIDC/1-5-B2C, I'm able to sign in and sign out using my Azure AD B2C. If I sign in, I am presented with my username and the "Edit Profile" button. Clicking the "Edit Profile" button causes the HomeController's Index action to execute.

As far as I can tell, the EditProfile action exists in the AccountController used by Microsoft.Identity.Web.UI's AddMicrosoftIdentityUI() extension method. This extension method is being called in Startup.cs. I think it's something about my particular configuration that's causing an issue, because in network inspector, I can see that when edit profile is clicked, a few things happen - even when I'm already authenticated in my application:

• /MicrosoftIdentity/Account/EditProfile 302 redirects to https://MYDOMAIN.b2clogin.com/MYDOMAIN.onmicrosoft.com/b2c_1_profileedit/oauth2/v2.0/authorize?client_id=[...]. The querystring parameters include my /signin-oidc redirect uri
• This authorize endpoint returns 200 with a JS-powered auto-POSTing form at posts to my https://localhost:44316/signin-oidc endpoint.
• My /signin-oidc endpoint 302 redirects to /

So the login handshake is taking place when I click "edit profile." That seems a little odd, since it shouldn't need to reauthenticate immediately after I run through my sign-in user flow (successfully). I confirmed that my B2C_1_ProfileEdit user flow is of type "profile editing," since it seems to be acting more like a sign up/in flow.

The last - potentially - weird thing I noticed is that when my EditProfile handshake was completed and I landed back on Index, my User.Identity.Name was cleared out. This didn't make much sense initially until I realized that the extra authentication handshake was happening against my B2C_1_ProfileEdit flow, which didn't return a display name. I updated this flow to return the display name, and now the User.Identity.Name field is no longer being cleared out. But this seems strange since I was already authenticated and had a valid name from the SignUpSignIn flow.

Versions: .NET Core 3.1 (though I seem to be able to replicate the issue in both 3.1 and 5.0 outside of these Azure samples) I did a fresh clone from master, so I have the most up-to-date code that exists. For future reference, this is the most recent commit: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/f8a37e010cacbc48b63e7d8b875b18b9a2c17313

appsettings.json:

{
  "AzureAdB2C": {
    "Instance": "https://MYDOMAIN.b2clogin.com",
    "ClientId": "df6[...]c9d22",
    "Domain": "MYDOMIAN.onmicrosoft.com",
    "SignedOutCallbackPath": "/signout/B2C_1_susi",
    "SignUpSignInPolicyId": "B2C_1_LocalEmailAccounts",
    "ResetPasswordPolicyId": "B2C_1_PasswordReset",
    "EditProfilePolicyId": "B2C_1_ProfileEdit" // Optional profile editing policy
    //"CallbackPath": "/signin/B2C_1_sign_up_in"  // defaults to /signin-oidc
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "AllowedHosts": "*"
}

POST HTML from Handshake:

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
   <head>
      <title>Logging in...</title>
      <meta name='CACHE-CONTROL' content='NO-CACHE'/>
      <meta name='PRAGMA' content='NO-CACHE'/>
      <meta name='EXPIRES' content='-1'/>
   </head>
   <body>
      <form id='auto' method='post' action='https://localhost:44316/signin-oidc'>
         <div>
		<input type='hidden' name='state' id='state' value='CfDJ8[...]24Xefv8IEHXSCvLYp'/>
		<input type='hidden' name='client_info' id='client_info' value='eyJ1[...]Y0In0'/>
		<input type='hidden' name='id_token' id='id_token' value='eyJ0eXAiOiJ[...]jeQg'/></div>
         <div id='noJavascript' style='visibility: visible; font-family: Verdana'>
            <p>Although we have detected that you have Javascript disabled, you will be able to use the site as normal.</p>
            <p>As part of the authentication process this page may be displayed several times. Please use the continue button below.</p>
            <input type='submit' value='Continue' />
         </div>
         <script type='text/javascript'>
            <!-- 
                document.getElementById('noJavascript').innerHTML = ''; document.getElementById('auto').submit(); 
            //-->
         </script>
      </form>
   </body>
</html>

[jmprieur]

@jennyf19 fyi

[deruss]

Hello,

I am having the same issue, where EditProfile does not work properly on 1-5-B2C project configured against my own ADB2C tenant.

It looks like the initial authorize is being rejected, generating the following error:

Message contains error: 'server_error', error_description: 'AADB2C: An exception has occurred. Correlation ID: 05f99e87-0735-4734-862b-6331519ccc78 Timestamp: 2021-10-03 22:16:05Z ', error_uri: 'error_uri is null'.

Clicking Edit Profile button again will trigger a fresh signin process and then shows the expected profile editing screens.

(clicking Edit Profile a third time will then produce the error again, etc).

To reproduce:

1. Follow the "Configure authentication in a sample web app by using Azure AD B2C" tutorial:

   • Tutorial: https://docs.microsoft.com/en-gb/azure/active-directory-b2c/configure-authentication-sample-web-app?tabs=visual-studio
   • Register web application in Azure B2C: https://docs.microsoft.com/en-gb/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga
   • Setup Sign-up and sign-in user flow: https://docs.microsoft.com/en-gb/azure/active-directory-b2c/add-sign-up-and-sign-in-policy?pivots=b2c-user-flow

2. Then add the Profile Editing user flow:

   • Steps: https://docs.microsoft.com/en-gb/azure/active-directory-b2c/add-profile-editing-policy?pivots=b2c-user-flow
   • Add EditProfilePolicyId to appsettings.json

3. Run website. Signin with valid login.

4. Click Edit Profile.

   • This will generate the error.

5. Click Edit Profile again

   • This will trigger a new signin process.
   • The edit profile screen will appear, and perform as expected.

We are having this issue in our own product website, but as it's happening with the sample project is it more likely an issue with Azure B2C server than our code or configuration?

Thanks, David.

[jennyf19]

@deruss thanks for the repro steps, will take a look.

[jennyf19]

@deruss I tried the sample here and was not able to repro the issue. do you have repro code you can send me or provide a link to?

[deruss]

Hello @jennyf19 , Thank you for looking into this, greatly appreciated.

Here's a folder with some screenshots and a video to help: https://onedrive.live.com/?authkey=%21AH9X3tXqicbdAhM&id=5A8ABF47B6342EE0%21233233&cid=5A8ABF47B6342EE0

I haven't changed any code except appsettings, and I've configured the B2C tenant in Azure portal as per instructions (I hope!).

I'm not sure what else to try. ¯\(ツ)/¯

Regards, David.

[jennyf19]

thanks @deruss will take a look. does the edit profile policy work in the AAD B2C portal? There should be a "try it out now" feature.

[deruss]

Hi @jennyf19 .

Yes, the edit flow works from the portal, but when it redirects to my localhost site I get a generic error "OpenIdConnectAuthenticationHandler: message.State is null or empty."

However, I don't think the portal link reuses a previously issued token - I think it always prompts for credentials. That's what happens if I try with jwt.ms redirect.

David.

[jennyf19]

@deruss thanks for the files. I do not see the same issue with the sample and the default config. Can you make me a guest user in your b2c tenant and email me ([email protected] - please include the issue # and sample in the subject line) the info (username/password) so I can run it locally? Also, can i get a screen shot of your user flow for edit profile? You said you have this same issue in your product code...if you can include your B2C tenant in the above email, I will have our B2C team check that everything in the tenant is set-up correctly there as well. thanks!

[deruss]

Hi @jennyf19 - email sent and user added.

[ghost]

@jennyf19 or @deruss - What was the resolution here? This issue still exists in current Microsoft.Identity.Web.UI !

[rekosko]

Having the same issue here and I'm following official docs step by step. The edit profile user flow in B2C works but from web app using Microsoft.Identity.Web.UI is not working.

[ghost]

@rekosko - In my case, my development could not wait for so long (it has been ~5 months now since my comment and much longer since the OP) for a resolution. So, we built our own flow using raw OpenIdConnect basics. It is best not to depend on the Microsoft.Identity.Web.UI for solutions as it tends to get very heavily rewritten every couple of years.

[v-michaelmi]

We're still not able to reproduce this bug on our ends unfortunately.

If anyone's still encountering issues with this, you can file a support ticket here:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/support-options

[v-michaelmi]

Closing due to inactivity