search

Azure-Samples / active-directory-b2c-xamarin-native

This is a simple Xamarin Forms app showcasing how to use MSAL to authenticate users via Azure Active Directory B2C, and access a Web API with the resulting tokens.
http://aka.ms/aadb2c
MIT License
111 stars 65 forks source link

SignIn with an account and reset the password of another acount #89

Open Dali2579 opened 5 years ago

Dali2579 commented 5 years ago

I don't know if this is a valid scenario. I used this sample active-directory-b2c-xamarin-native. I created my tenant in AZURE B2C. I have already two user account on it account1 and account2 I signed in with the account1 to the application. The application displayed account1's name correctly. I clicked on reset password. I entered account2's email. I got the verification code and I updated account2's password. when comeback to homescreen, I'm getting account2's name. What happen to account1's session? is it logged out? I'm not sure if this is a correct behavior.

jennyf19 commented 5 years ago

@Dali2579 What idp are you using? B2C local accounts, FB, Twitter, etc..? are the users connected at all? Example, is it the same user w/two accounts?

Are you using the sample as-is? If so, I will try out what you explained above. Thanks.

Dali2579 commented 5 years ago

I'm using IDP local and using the example as it is.

jennyf19 commented 5 years ago

@Dali2579 thanks...i'll take a look

jennyf19 commented 5 years ago

@Dali2579 Which IdP are you using?

Dali2579 commented 5 years ago

@jennyf19 I'm only using B2C local account.

TiagoBrenck commented 5 years ago

@Dali2579 @jennyf19 I believe this is not an issue. The reset password flow is: type an email, then access that email (it proves that you have control of that email), then we will reset the PW for you. If you type my email, you wont be able to reset my pw, because you don't have control over my email. This reset password flow is actually found in many places and apps out there, and if you type someone else email, they will indeed get an email with a link or code, but since they didn't ask for a pw reset, they would probably ignore it.

IMHO, I don't think this is an issue. For reference: https://auth0.com/learn/password-reset/

Dali2579 commented 5 years ago

@TiagoBrenck Yes I agree with your analysis. my question was not about the reset password workflow. My question was in case of connecting as account1 and from this session reseting the password of account2, after the end of the reset password we need to keep connected to account1 . below steps with screenshots I signed in with the account1 to the application. image The application displayed account1's name correctly. image I clicked on reset password. I entered account2's email. image I got the verification code and I updated account2's password. image update account2 password image when comeback to homescreen, I'm getting account2's name. image

as you can see account2's name is dispallyed. what happen to account1 session? is it logged out?

Thanks, Dali

TiagoBrenck commented 5 years ago

Oh, now I see what you mean and indeed is an odd behavior that needs to be investigated. Sorry about the misunderstanding.

jennyf19 commented 4 years ago

@TiagoBrenck did you investigate this?