Howto call Azure AD B2C Change Password profile from Blazor WASM

[njannink]

Situation
Blazor WASM website that uses Azure AD B2C as authentication provider (MSAL)

Problem
I setup a custom policy for password change using the following guide:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-password-change-policy?pivots=b2c-custom-policy

But I can't seem to figure out how to correctly redirect the user to the change password profile. If I call the suggested url:

https://xxxx.b2clogin.com/xxxx.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_PASSWORDCHANGE&client_id=ABCDE&nonce=defaultNonce&redirect_uri=https%3A%2F%2Flocalhost%3A5000%2Fauthentication%2Flogin-callback&scope=openid&response_type=id_token&prompt=login

Then I can login and change my password.

1. If I remove the prompt=login it's not working at all. I would prefer if the user shouldn't have to login again and effectivly typing his old password twice.
2. If I keep the prompt=login the password is updated, but the Blazor WASM authentication page keeps stuck in logging in. If I close the WASM site and reopen it I need to login another time. So the old used token is invalid.

Anybody has an idea howto correctly use Blazor WASM in combination with the change password custom policy?

[javiercn]

@njannink thanks for contacting us.

This is not something that we currently support. I believe at the time (and I'm not sure if not it is the case too) MSAL.js didn't support this flow.

[javiercn]

Dupe of #27119

[njannink]

@javiercn It's not really a duplicate of #27119, because that one is about catching some error code and initiating password reset / forgot password flow. This one is about starting a custom policy for starting the "Change Password" flow. After looking at #27119 I also found task #38122 and I'm kinda worried that this isn't supported yet. Microsoft promoted the Azure AD B2C framework as the to-go authentication framework together with Blazor WASM and then something simple as change my password which is essensitial for any web application isn't possible. Isn't there not even a workaround to start a custom policy eg from Javascript?

[javiercn]

@njannink thanks for the additional details.

There are two levels here:

• MSAL.JS support for what you are asking for (I'm not aware if it is something supported or not).
• The support we provide out of the box in Blazor Webassembly built on top of the MSAL.JS library.

At the time we created our initial support, I don't believe these things were yet supported by MSAL.js, so we couldn't do anything even if we wanted.

If they are supported right now, we might consider adding them to our Blazor supporting package, however I want to be very clear that our goal with this package is not to provide a full e2e experience for every possible MSAL.js/authentication scenario.

The goal of our integration package is to offer a starting point for a set of common scenarios (login/logout/call APIs), we don't have the bandwidth nor the expertise in the ASP.NET Core team to build every possible authentication scenario related to AAD and AAD B2C.

I would suggest that if you want to see better support for AAD and AAD B2C on Blazor, you post an idea https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789 on the AAD user voice forum as a way to raise visibility to the current support gaps.

In addition to that, it is possible for you to create your own authentication implementation using msal.js to support whatever scenarios you care about. This repo shows how you can replace the built-in AuthenticationService with a custom implementation tailored to your needs.

[njannink]

Thx for your answer.

With a custom AuthenticationService I'm getting the password reset user flow to work. but calling the custom password change profile I'm not getting to work. After the password change the refresh token fails. So you are still connected based on the token from before the password change, but you are no longer authenticated.

Any idea how to get this to work? Also only the version with prompt=login works. How do I correctly send the account info to prevent having to login again on the Azure AD B2C page