search

azure-ad-b2c / samples

Azure AD B2C custom policy solutions and samples.
831 stars 596 forks source link

Auto-account-linking sample doesn't gracefully handle social sign up when email address isn't supplied by IDP #529

Open ajbeaven opened 1 year ago

ajbeaven commented 1 year ago

When registering via Facebook (and probably other social IDPs), the user must approve access for the developer's app to have permissions to read the user's email address. That access can be withheld here:

RequestedAccess

The auto-account-linking sample fails with the following error if a user attempts to sign up using a social IDP without giving access to their email address:

Message contains error: 'server_error', error_description: 'AADB2C90037: An error occurred while processing the request. Please contact administrator of the site you are trying to access. Correlation ID: d72956b5-f969-4168-8e62-e1c9939ffbc5 Timestamp: 2023-04-03 16:48:06Z ', error_uri: 'error_uri is null'.

This isn't particularly useful, but there are some logs that the Azure support team can pull out that are more descriptive:

Microsoft.Cpim.Common.PolicyException: An error occurred while processing the request. Please contact administrator of the site you are trying to access. ---> Microsoft.Cpim.Data.InvalidReferenceException: A claim could not be found for lookup claim with id "socialEmail" defined in technical profile with id "AAD-FindLocalAccountWithSocialEmail" policy "B2C_1A_SIGNUP_SIGNIN" of tenant "myapp.onmicrosoft.com". ---> System.Collections.Generic.KeyNotFoundException: Claim with id 'socialEmail' was not found in the collection. ---> System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.

I don't think the same error occurs in the base social starter packs as they appear to happily create an AAD user with no email address identity. It's only in this sample, where the email address is used to search for a matching local account, that it will fail.

Eagle3386 commented 4 months ago

@JasSuri Any news on this? Because I'm also trying to integrate the mentioned policy (auto-account-linking), yet it fails, too:

Application Insights log excerpt:

"Exception": {
  "Kind": "Handled",
  "HResult": "80131500",
  "Message": "A claim could not be found for lookup claim with id \"socialEmail\" defined in technical profile with id \"AAD-FindLocalAccountWithSocialEmail\" policy \"B2C_1A_signup_signin\" of tenant \"myTenant.onmicrosoft.com\".",
  "Data": {
    "IsPolicySpecificError": true,
    "TenantId": "hmdportal.onmicrosoft.com",
    "PolicyId": "B2C_1A_signup_signin",
    "technicalProfile.Id": "AAD-FindLocalAccountWithSocialEmail",
    "identifierClaimMapping.PolicyClaimType.Id": "socialEmail"
  },
  "Exception": {
    "Kind": "Handled",
    "HResult": "80131577",
    "Message": "Claim with id 'socialEmail' was not found in the collection. ",
    "Data": {
      "claimTypeId": "socialEmail",
      "description": null,
      "action": null
    },
    "Exception": {
      "Kind": "Handled",
      "HResult": "80131577",
      "Message": "The given key was not present in the dictionary.",
      "Data": {}
    }
  }
}