Search code examples
azure-active-directoryazure-ad-msalazure-ad-b2c-custom-policymsal.jsmsal-react

How to set prompt dynamic in input claim custom policy when login as google in azure ad b2c

I have implemented authentication using azure ad b2c and use custom policy to manage the user journey. I have google login idp and have some input claims login hint and prompt to manage the auth session. I have 2 different application which is running in different react application root. I am facing issue when cross access application while having 2 or more google accounts active in browser. The first application already login and try to access second app, which is should re authenticated. I have silently auth using MSAL implementation but unlucky throw an error so I handled the auth using MSAL Login Redirect. The issue is, I need to re select the account even I already set prompt to "none" instead of "select_account" or "consent" and throw this prompt value to custom policy as Input claim, but no luck this claim is ignored and not updated in custom policy.

this is sample custom policy when self-asserted as google.

....
<ClaimType Id="custom_prompt">
    <DisplayName>custom_prompt</DisplayName>
    <DataType>string</DataType>
    <UserInputType>TextBox</UserInputType>
  </ClaimType>
<ClaimType Id="prompt">
    <DisplayName>prompt</DisplayName>
    <DataType>string</DataType>
    <UserInputType>TextBox</UserInputType>
  </ClaimType>
......
<ClaimsProvider>
  <Domain>google-oauth.com</Domain>
  <DisplayName>Google</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="Google-Oauth">
....
        <InputClaim ClaimTypeReferenceId="loginHint" PartnerClaimType="login_hint" DefaultValue="{OIDC:LoginHint}" />
        <InputClaim ClaimTypeReferenceId="access_type" PartnerClaimType="access_type" DefaultValue="offline" AlwaysUseDefaultValue="true" />
        <InputClaim ClaimTypeReferenceId="custom_prompt" PartnerClaimType="prompt" DefaultValue="consent"/>
....

and my MSAL sample request:

const azureAdLoginRequest = {
  scopes: ['offline_access', 'some_scopes'],
  domainHint: 'google-oauth.com',
  loginHint: 'sample@email',
  prompt: 'none',
  extraQueryParameters: {
    custom_prompt: 'none',
  }
}
...
MsalInstance
  .ssoSilent({ ...azureAdLoginRequest })
  .then((response) => {
    // handle callback silently login
  })
  .catch((error) => {
    MsalInstance.loginRedirect({ ...azureAdLoginRequest }).then(function (value) {
      // handle callback redirect
    });
  });

I tried to copy url while in landing page to select the google account and always show "prompt=consent". What I want is, I throw the prompt value as "none" when do silently login in app-2 and we don't need to reselect account for re-authenticated. I still need "consent" prompt for initial login in app-1 so I can't update this value in custom policy as default value. Any idea how to update it for dynamic value? or I have wrong approach when do it...

Solution

  • after several experiment and refer to this How to direct B2C Federated user to Microsoft common login endpoint

    I can resolve by update the input claim prompt like this.

    <InputClaim ClaimTypeReferenceId="custom_prompt" PartnerClaimType="prompt" DefaultValue="{OIDC:Prompt}" />

    and the request from MSAL still same.