-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
ROPC with User Migration API issue #21
Comments
Additional info... Here is the Orchestration Step:
And here is the Technical Profile:
|
As an additional update, I've tried making the first step a non-Azure AD lookup. I've tried one with Protocol="None" that just sets a claim value, and I get an error: An attempt was made to resolve a protocol handler for unsupported protocol "None" in technical profile with id "GenerateUserMigratedClaim" in policy with id "B2C_1A_SignIn_ROPC" for tenant with id "mytenant.onmicrosoft.com"." |
This has to be a bug with the ROPC flow, but there does appear to be a workaround. Make sure the first orchestration step contains the technical profile for ROPC OAUTH2, then add a pre-condition to ensure the step is always skipped. I checked for an objectId which would never exist when starting the flow. Here is my first step:
Then after that, you can add your other migration steps as documented in #14 as necessary. Hope it helps! |
Thats odd. We will review. This was a limitation that step 1 had to be the ROPC step. But we did make a change to allow REST API call prior to it. I am not sure if AAD Protocol for R/W was an option to have prior to the ROPC step, something we need to confirm. |
Actually, my solution of putting the OAUTH step as #1 and then skipping it with a Pre-Condition doesn't appear to work either. It does the OAUTH in step 1 regardless of the pre-condition. Mine was only succeeding because I accidentally had the password the same in both B2C and the legacy platform. |
I created a dummy API and called that with Step 1, then moved into my other steps. This appears to be working now. So it does appear you can lead with a REST API call, but in my case I need to query B2C first, then call the real migration REST API. |
Yes makes sense to me as per my flow chart, its preferable to read the directory first assuming a pre-migration flags the migrated users in the directory using an extension attribute. |
Related to #14; hoping @JasSuri can help out here...
Are there policy samples available for the ROPC flow with user migration included?
I'm working on one, but when I start my steps with the directory read for the migration status I get a "Method or operation not implemented" exception through App Insights before the first step even executes. When I change the order and do OAUTH first, my lookup succeeds as the second step, but obviously that doesn't work for actually migrating the user.
Here is the exception I get when leading with the directory read:
{
"Kind": "FatalException",
"Content": {
"Time": "3:18 PM",
"Exception": {
"Kind": "Handled",
"HResult": "80004001",
"Message": "The method or operation is not implemented.",
"Data": {}
}
}
}
The text was updated successfully, but these errors were encountered: