This policy demonstrates how to prevent the user from issuing an access token after resetting the password.
To test the policy, follow these steps:
- If you don't have an account, create a local account with your email address.
- Run the B2C_1A_Demo_PasswordReset_Only policy to reset the password.
- Complete the password reset process.
- After you reset the password Azure AD B2C shows you a message that your password successfully saved and will not allow you to continue to issue an access token.
The policy contains additional orchestration step SelfAssertedPasswordResetUserMessage that calls the SelfAsserted-PasswordResetUserMessage self-asserted technical profile. The self-asserted technical profile uses the metadata to hide the continue and cancel buttons. Also the technical profile renders the userMessage paragraph claim type.
Note: You should add an HTML link to the self-asserted technical profile's content definition. This link redirect the user back to your application. The application should initiate new authorization request, asking the user to sign-in with the new password.
The SelfAsserted-PasswordResetUserMessage must contain at least one output claim. If you remove the output claim, Azure AD B2C will not show the self asserted page.
To merge the policy into your policy, you need:
- Add the userMessage claim type and set the display name.
- Add the SelfAsserted-PasswordResetUserMessage technical profile.
- Add the extra orchestration step SelfAssertedPasswordResetUserMessage before the last orchestration step.
Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [azure-ad-b2c]. If you find a bug in the sample, please raise the issue on GitHub Issues. To provide product feedback, visit the Azure Active Directory B2C Feedback page.