Hi everyone,
I’m working on an authentication flow using Azure AD B2C and could use some help with the implementation details. The scenario is as follows:
Scenario:
User clicks login in my mobile app (built with React Native).
The user is redirected to a third-party identity provider (e.g., Norwegian Bank ID) for authentication.
After successful authentication with the third-party provider, Azure AD B2C should check
- if the user already exists in the B2C directory: If the user exists:
B2C should simply return a token with the necessary claims. - If the user does not exist: I want the policy to initiate an OTP
verification process
where:
The user is prompted to enter their email address.
An OTP is sent to the email address provided.
The user enters the OTP to verify their email.
After successful OTP verification, a new user is created in the B2C directory, and the email address is included in the token.
What I’ve Done So Far:
- I’ve configured the third-party identity provider in Azure AD B2C.
- I’ve experimented with custom policies in Azure AD B2C, but I’m
struggling with orchestrating the flow correctly.
Challenges:
Custom Policy Configuration: I’m finding it challenging to define a user journey that seamlessly integrates the third-party identity provider, checks for user existence, and then either logs in the user or triggers the OTP flow.
OTP Verification Integration: How do I properly integrate the OTP verification into the B2C user journey without exposing sensitive logic or making the flow too complex?
What I Need Help With:
Sample Custom Policy XML: If anyone has implemented a similar flow, I would greatly appreciate a sample or a breakdown of the custom policy XML that handles these steps.
Best Practices: Recommendations on best practices for securely integrating OTP verification and handling user creation after third-party authentication.
General Advice: Any tips or advice on potential pitfalls when implementing such a flow would be very helpful.
Thanks in advance for your help!