I've been working on implementing group-based access control for a B2C Tenant. I've setup an API hook (POST) which accepts the user's ObjectId, validates if the user is in the permitted groups through Graph API and returns:
- 200 OK when successful
- 409 Conflict when not succesful
Below is the object returned with a 409:
{
"version": "1.0.0",
"status": 409,
"userMessage": "User is not authorized for this application"
}
For some reason, this message is not shown to the user, but rather a redirect occurs to {{B2cUrl}}/#error=server_error&error_description=AADB2C%3a+User+is+not+authorized+for+this+application%0d%0aCorrelation+ID%3a+...8%0d%0aTimestamp%3a+...%3a03%3a39Z%0d%0a&state=...
In my user Journey, i have included the following orchestra
<OrchestrationStep Order="3" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="RESTValidateProfile" TechnicalProfileReferenceId="REST-ValidateProfile" />
</ClaimsExchanges>
</OrchestrationStep>
How can i get the user error message shown in the Login page for the user?
You need to call your rest api technical profile from a validation technical profile. The validation technical profile should be configured against the self asserted technical profile (login page) such that it can then return an error to it.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-validation#validate-the-user-input
In its current form, the REST API is called after the page is submitted and a redirect starts. Therefore any error is just sent back to the app, as there is no page rendered at that time.