Azure-docs: Is there a way to protect registration flow, so it only open if the request has bearer token
The document describes how to call flow as follows:
https://contosob2c.b2clogin.com/contosob2c.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=2d4d11a2-f814-46a7-890a-274a72a7309e // Your registered Application ID
&redirect_uri=https%3A%2F%2Flocalhost%3A44321%2F // Your registered Reply URL, url encoded
&response_mode=form_post // 'query', 'form_post' or 'fragment'
&response_type=id_token
&scope=openid
&nonce=dummy
&state=12345 // Any value provided by your application
&p=b2c_1_siup // Your sign-up user flow
What if i want to open this page for system admins only, or users with invitations?
Is there a way to protect user sign up flow for such cases?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: e8b5f81a-f216-b345-d434-c0ebbf70ff00
- Version Independent ID: e77fb894-d7a0-ae0c-7f4c-1030df97f073
- Content: User flows in Azure Active Directory B2C
- Content Source: articles/active-directory-b2c/active-directory-b2c-reference-policies.md
- Service: active-directory
- Sub-service: b2c
- GitHub Login: @mmacy
- Microsoft Alias: marsma
mustafamg
All 5 comments
@mustafamg Thanks for your feedback! We will investigate and update as appropriate.
FrankHu-MSFT
on 1 Oct 2019
hey @mustafamg this is not currently a fully supported flow. Why do you want only certain users to be able to see the login page? Shouldn't it be fine to only allow users who have the correct login to obtain an access token?
It shouldn't be necessary to block users from accessing a login page correct?
Thanks,
- Frank Hu
FrankHu-MSFT
on 2 Oct 2019
Thanks for the reply @FrankHu-MSFT . I am talking about sign up flow, not sign in. The application should allow certain types of users to register through an invitation. So only the company's employees can register. Same for the company customers.
Any other user should not be able to register.
mustafamg
on 2 Oct 2019
Hey @mustafamg, there is no b2c setting in the portal that allows for this to happen, however you could utilize JavaScript to check the user's cache.
If they have \ Please see these docs on adding JavaScript to your b2c application : https://docs.microsoft.com/en-us/azure/active-directory-b2c/javascript-samples Or you could add an azure function in your orchestration step and the azure function could return whether or not the user is sign-upable per some logic you'd create to determine if the user is from your company. For more information please see : Unfortunately to implement what you're requesting, you'll have to utilize some sort of solution of the above types. There is definitely room for improvement for AAD B2C And if there's enough community support the product team will look into adding this to the roadmap in the future. Please let us know if there are anymore questions within the scope of this git issue. If not, I will be closing out this git issue by end of day tomorrow. Please file a new git issue with a reference to this one if you have anymore concerns. Thanks
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-validation-custom
My suggestion would be to file your feedback here : https://feedback.azure.com/forums/169401-azure-active-directory?category_id=160596
FrankHu-MSFT
on 2 Oct 2019
Thanks, @FrankHu-MSFT , I am with custom policies now and it seems to work.
mustafamg
on 3 Oct 2019
Related issues
tshinkle
·
40Comments
jlorek
·
46Comments
xkobal
·
42Comments
m-andersen
·
65Comments
clangnerakq
·
46Comments