Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROPC : Does the user-migration with Sign-In & Rest-API to validate user on Legacy IDP work for ROPC ? #14

Closed
sudhakarbetha opened this issue Jun 17, 2020 · 2 comments
Closed

ROPC : Does the user-migration with Sign-In & Rest-API to validate user on Legacy IDP work for ROPC ? #14

sudhakarbetha opened this issue Jun 17, 2020 · 2 comments

Comments

@sudhakarbetha
Copy link

ROPC : Does the user-migration with Sign-In & Rest-API to validate user on Legacy IDP work for ROPC ?

We are using a mobile device and have users to migrate from an Database as part of Migration,
I followed

  1. ROPC Custom Policy https://docs.microsoft.com/en-us/azure/active-directory-b2c/ropc-custom?tabs=app-reg-ga
  2. Defined custom attributes https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes
  3. Setup a Rest-API on Legacy IDP to return migrationStatus
    https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-intro

However, I think the ROPC with REST-API is not supported ? because the
ROPC has Protocol Name="OpenIdConnect" />
vs
SelfAsserted-LocalAccountSignin-Email has

and ran into problem of
Invalid technical profile with id "ResourceOwnerPasswordCredentials-OAUTH2" only the protocol handler ""Web.TPEngine.Providers.SelfAssertedAttributeProvider"" can have a ValidationTechnicalProfile

I stumbled upon these and noticed, the migration does not apply for ROPC (mobile devices) ? Is that true ?
https://docs.microsoft.com/en-us/azure/active-directory-b2c/self-asserted-technical-profile
https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect-technical-profile

Can someone tell me how do we do migration during SignIn with Rest-API interaction for ROPC grant_type ?
@JasSuri
Copy link
Contributor

JasSuri commented Sep 21, 2020
edited
Loading

This should work now, in the past what you observed is accurate.
But the flow should be

  1. Step 1 - Read directory by email, and obtain the attribute that flags the migration status
  2. Step 2 - Call REST API if account needs to be migrated
  3. Step 3 - Write the password to the B2C directory if the REST API was happy, and change the migration flag attribute
  4. Step 4 - Make the ROPC call that B2C normally makes to check the credentials against B2C

@JasSuri JasSuri closed this as completed Sep 24, 2020
@kcrosby kcrosby mentioned this issue Feb 22, 2021
Open
@malta895
Copy link

Hi @JasSuri,
could you provide an XML example of a user journey and technical profiles of the steps you mentioned? In particular I can't figure out how to implement the first and the second step.

What do you mean by "Read the directory by email"?

How can I insert the password in the REST API body?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sudhakarbetha @malta895 @JasSuri