claasd
commented
4 months ago more info: the WhatIf policy does not even log the expected fields:
{
"alg": "RS256",
"kid": "KW8bBJOmaNXvJh2YZGNtFu9QOa5UMeWLgjByHawo4XY",
"typ": "JWT"
}.{
"ver": "1.0",
"iss": "https://b2clivedemo.b2clogin.com/3a29c594-12be-476f-bb6f-0a787b348639/v2.0/",
"sub": "2534ef73-7e7b-401a-9d1d-787661462d14",
"aud": "cfaf887b-a9db-4b44-ac47-5efff4e2902c",
"exp": 1708616547,
"acr": "b2c_1a_demo_signup_signin_conditionalaccess_whatif",
"nonce": "defaultNonce",
"iat": 1708612947,
"auth_time": 1708612947,
"email": "<REDACTED>",
"IP-Address": "<REDACTED>",
"trustFrameworkPolicy": "B2C_1A_Demo_SignUp_SignIn_ConditionalAccess_WhatIf",
"tid": "3a29c594-12be-476f-bb6f-0a787b348639",
"nbf": 1708612947
}```
JasSuri
The conditional access flow with blocking allows to sign up and even generates a valid token during signUup instead of blocking the user or blocking the whole signUp process.
I ran the sample using the tor browser, and I was able to sing up, the sign up process even gave me a valid token after signing up.
When I sing in using the credentials provided during signUp, the sign-in is blocked as expected.
We have the same behavior using our own B2C, but we want to block risky logins already during signUp, not when they sign in a second time, as most fraudulent activity is done directly after sign-up.