Entra External ID custom extension not working as expected

Question

I am evaluating Entra External ID. I am at a point where I hook into the auth-flow with custom extensions. For now, I am looking at the AttributeCollectionSubmit event. I want to do this, because attribute collection happens once in the account lifecycle, so for me this is the new user event.

As a starter, I have deployed an Azure Function with the sample code. It always returns the continuation response (i.e. continueWithDefaultBehavior). So I expect that the flow is the same as without the extension. I have set up the auth as per the docs, however, to keep things simple, for now, I have disabled EasyAuth, so anonymous access is possible. When hitting next in the UI of the attribute collection page, I am getting an error:

Something went wrong. Contact your IT department if the problem persists.

In the Edge network tools, there the POST call to https://MYTENANT.ciamlogin.com/common/validateuserattributes returns 200, with the response payload of

{
    "error": {
        "code": 6000,
        "correlationId": "6afc125b-9fb4-46b4-99f4-92c34aaa0a3c",
        "timestamp": "2024-02-18 17:49:51Z",
        "isFatal": true,
        "message": "AADSTS1100001"
    }
}

Googling for that error code AADSTS1100001 does not return any results, some questions, but no official doc.

Here's the function code in NET:

[Function(nameof(HttpFunc))]
public async Task<IActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "post")] HttpRequest req)
{
    string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
    log.LogInformation("C# HTTP trigger function processed a request. Body= {b}", requestBody);
    dynamic request = JsonConvert.DeserializeObject(requestBody);

    var actions = new List<ContinueWithDefaultBehavior>{
        new ContinueWithDefaultBehavior { type = "microsoft.graph.attributeCollectionSubmit.continueWithDefaultBehavior"}
    };

    var dataObject = new ContinueData
    {
        type = "microsoft.graph.onAttributeCollectionSubmitResponseData",
        actions = actions
    };

    dynamic response = new ContinueResponseObject
    {
        data = dataObject
    };
    return response;
}

I can try this out in the portal if the response is static

What am I missing here? I thought I had problems with auth, but it does not work even without it?! Any thoughts or input is appreciated!

Answer 1

Ok, working now. Apparently, the type key had to be @odata.type instead of just type. Granted this is also visible in the sample response payload in the docs. However, since I also copied the the code snippets from there, I didn't put too much thought into it, assuming it would just work.

Here's the code for the response classes before and after. I needed to swap out Newtonsoft.Json for System.Text.Json.

Before, from docs, not working

public class ContinueResponseObject
{
    public ContinueData data { get; set; }
}

[JsonObject] // <--- Newtonsoft
public class ContinueData {
    [JsonProperty("@odata.type")] // <--- Newtonsoft
    public string type { get; set; }
    
    public List<ContinueWithDefaultBehavior> actions { get; set; }
}

[JsonObject] // <--- Newtonsoft
public class ContinueWithDefaultBehavior {
    [JsonProperty("@odata.type")]
    public string type { get; set; }
}

Now working

public class ContinueResponseObject
{
    public ContinueData data { get; set; }
}

// [JsonObject] <-- removed
public class ContinueData {
    [JsonPropertyName("@odata.type")] // <-- !!
    public string type { get; set; }
    
    public List<ContinueWithDefaultBehavior> actions { get; set; }
}

// [JsonObject] <-- removed
public class ContinueWithDefaultBehavior {
    [JsonPropertyName("@odata.type")] // <-- !!
    public string type { get; set; }
}