I'm trying to set up a very basic custom policy for sign-up/sign-in for Azure B2C in the China region, and my question is about how to debug the sign-in process.
After carefully following the directions at [1] (and adjusting the URLs/tenant IDs for China, more details below), I am unable to successfully log in using the custom policy signup_signin flow. Each attempt results in "Invalid username or password" despite the same credentials working for the out-of-the-box user flows. User sign-up via this custom policy does work correctly, however.
Things I changed specifically for China:
- tenant IDs (in all files):
<yourtenant>.onmicrosoft.com-><yourtenant>.partner.onmschina.cn - technical profile "login-NonInteractive" metadata attributes (TrustFrameworkBase.xml):
- ProviderName:
https://sts.chinacloudapi.cn/ - METADATA:
https://login.chinacloudapi.cn/<numeric tenant id>/.well-known/openid-configuration - authorization_endpoint:
https://login.chinacloudapi.cn/<numeric tenant id>/oauth2/token
- ProviderName:
- b2clogin values (where appropriate in application properties, etc):
tried both
<yourtenant>.b2clogin.cn/<numeric tenant id>and<yourtenant>.b2clogin.cn/<yourtenant>.partner.onmschina.cnforms
Things I've tried / double-checked:
- following all directions separately in a non-China Azure account -- this is working as expected
- cycling through many, many combinations of login.partner.microsoftonline.cn / login.chinacloudapi.cn / .b2clogin.cn / etc for the various auth endpoints
- re-creating the IdentityExperienceFramework and ProxyIdentityExperienceFramework apps
- the apps are of the web app / native types, respectively, as required
- the apps are created in the legacy app registrations section of the AAD (not B2C) blade, but within the B2C tenant (next to the b2c-extensions-don't-modify-this-app app)
- all portal operations undertaken as global administrator
- the proxy app has the permissions to access the other app
- the permissions have been "granted" via the separate button click after being selected
- the app IDs are in the correct client / resource positions in the TrustFrameworkExtensions file
- the app IDs are in fact the app IDs and not object IDs
- the custom policy files are uploaded in the correct base/extensions/relyingParty order
- App Insights debug logging turned on - as far as I can tell the Event:SELFASSERTED step Web.TPEngine.StateMachineHandlers.SelfAssertedMessageValidationHandler is returning false, though the statebag property of the handler result contains a validation response that appears to contain an ID token
I observe this behavior with the LocalAccounts files directly from [2] with only the template values filled in (i.e. no changes to the structure of the user flows or anything, just plugging in the app ids, tenant IDs, and China URL substitutions). This question [3] describes the same problem I have, though the solutions outlined there have not solved my issue.
The learning curve to get this far has been painfully steep, and I'm not really sure what the next steps should be to debug this further.
Does anyone have any experience with AADB2C in China or debugging this sort of issue generally?
[1] https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
[2] https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
[3] Invalid usename or password when sigining local account with Azure AD B2C Custom Policy
