There’s a good article on id_token_hint on docs.microsoft here.
I did a post on this here.
Basically, you pass information e.g. a username into B2C inside a signed JWT. The JWT is signed by a certificate.
B2C checks the JWT signature by accessing an Azure app service that contains a…
Exceptions and errors in B2C when using custom policies are logged using Application Insights.
As I have encountered exceptions, I have documented how I have searched for the actual cause.
Note that these are the error messages displayed in the browser.
I will keep adding cases to this post as…
By proofing up, I mean enabling MFA on the user’s login.
I’ve been involved with a number of companies who have gone through this exercise. Every one has had problems. Users don’t read the instructions and get confused. Support has to get involved.
The instructions say:
“Do this on your…
There are a lot of custom policy samples scattered all over the Internet so I thought I would try and collate them in one place
Invariably, the links will change and break. Please report these in the comments. Also, please report any others that you think should be added.
PKCE (Proof Key for Code Exchange) is described here.
From the official OAuth 2.0 spec for PKCE:
This is particularly useful for…
There’s a write up here on using .NET Core to access the B2C Graph API.
It gives you the following commands:
 Get all users (one page)
 Get user by object ID
“SCIM is a standardized definition of two endpoints — a /Users endpoint and a /Groups endpoint. Using common REST verbs to create, update, and delete objects, and a pre-defined schema for common attributes like group name, username…
Note: This is a PoC that you should use as a guide. The code is not Production ready and you use it at your own risk.
A number of people have asked me if B2C can use another repository for authentication e.g. …
There’s a gotcha with this when you use “ClaimEquals” with B2C custom policies.
Assume you have a claim that you read from B2C e.g. extension_ClaimInB2C and the user types some text into a TextBox e.g. ClaimFromTB and you want to compare the two in a user journey.
Both are defined…
This was a request from a customer and on googling it, I found there was nothing!
This could be because secret Q&A are not very secure and have pretty much been deprecated as a security feature.
But sometimes it’s all you have as an option.
NZ is an agricultural country…