The following contains a few pointers related specifically to interactions with that integrations should consider in the interaction. For other customization and interaction options refer to the official ADB2C product documentation.
With the provisioned/managed instance configuration, some care is required for handling session that starts by the user resetting the password.
The scenario/flow is roughly as follows:
- The user is presented with a login prompt.
- The users clicks "Forgot Password".
- User goes through email verification and enters new password (and a confirmation).
- The user is logged in without having to enter his/her credentials after the change.
The issue is that during step 4, the regular server side login process is NOT executed.
The end result is that the id_token generated does not include the extension_SubscriberId nor extesion_Products.
The recommended workaround for this scenario is for the integration application to handle the password journey by forcing a new login.
- Detect that token contains the property isForgotPassword with a value true.
- Clear local session cookies.
- Re-run login flow.
The result will be that the user needs to enter his/her credentials again, and the resulting token will be populated with the correct information.
The above approach is implemented in the self-service application.
{
"ver": "1.0",
"iss": "https://experimentations4prod.b2clogin.com/b2f8feca-1a5c-4090-ab41-9013d3420118/v2.0/",
"sub": "62a786d2-5cd2-4a26-9cb0-18b056b9562f",
"aud": "1b162230-180c-4648-9d0f-a313bb86510c",
"exp": 1707321390,
"nonce": "defaultNonce",
"iat": 1707317790,
"auth_time": 1707317790,
"isForgotPassword": true,
"name": "esbbach+testuser1@infosoft.no",
"emails": [
"esbbach+testuser1@infosoft.no"
],
"oid": "62a786d2-5cd2-4a26-9cb0-18b056b9562f",
"tfp": "B2C_1_Signin",
"nbf": 1707317790
}
By default all provisioned tenants are configured with SSO being enabled across the tenant.
In essence that means, that if a user is signed in to one application, for instance self-service, and have "Keep Me Signed In" toggled on, there should be no login prompt but instead he/she should be automatically signed in.
There is one requirement in that the login request should NOT include the query parameter prompt=login, as soon as that is included the SSO session is terminated.