Azure B2C Rest API Error Still Creating Account

Question

I have created a REST API for Azure B2C to return a claim or an error during the account creation flow.

In my Custom Policy I have hooked up the API and it gets called.

However if the API returns either a 400 or 409, the account is still created but the user is presented with the error message on the create page. The user's account is still created despite the error.

The user then fixes the error and clicks create again but can't create the account because it was already created.

I have followed the instructions here:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-validation

My Claims Provider looks like this and claim from the REST API is called VerifiedDateOfBirth :

<ClaimsProvider>
            <DisplayName>REST API</DisplayName>
            <TechnicalProfiles>
                <TechnicalProfile Id="REST-Validation">
                    <DisplayName>Check date of birth</DisplayName>
                    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
                    <Metadata>
                        <!-- Set the ServiceUrl with your own REST API endpoint -->
                        <Item Key="ServiceUrl">{REST URL}}</Item>
                        <Item Key="SendClaimsIn">Body</Item>
                        <!-- Set AuthenticationType to Basic or ClientCertificate in production environments -->
                        <Item Key="AuthenticationType">None</Item>
                        <!-- REMOVE the following line in production environments -->
                        <Item Key="AllowInsecureAuthInProduction">true</Item>
                    </Metadata>
                    <InputClaims>
                        <!-- Claims sent to your REST API -->
                        <InputClaim ClaimTypeReferenceId="dateOfBirth" />
                    </InputClaims>
                    <OutputClaims>
                        <!-- Claims parsed from your REST API -->
                        <OutputClaim ClaimTypeReferenceId="VerifiedDateOfBirth" />                       
                    </OutputClaims>
                    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
                </TechnicalProfile>
            </TechnicalProfiles>
        </ClaimsProvider>

And the technical profile:

    <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
                    <DisplayName>Email signup</DisplayName>
                    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
                    <Metadata>
                        <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
                        <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
                        <Item Key="language.button_continue">Create</Item>
                    </Metadata>
                    <CryptographicKeys>
                        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
                    </CryptographicKeys>
                    <InputClaims>
                        <InputClaim ClaimTypeReferenceId="email" />
                    </InputClaims>
                    <OutputClaims>
                        <OutputClaim ClaimTypeReferenceId="objectId" />
                        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
                        <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
                        <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
                        <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
                        <OutputClaim ClaimTypeReferenceId="authenticationSource" />
                        <OutputClaim ClaimTypeReferenceId="newUser" />
                        <!-- Optional claims, to be collected from the user -->
                        <OutputClaim ClaimTypeReferenceId="displayName" />
                        <OutputClaim ClaimTypeReferenceId="givenName" />
                        <OutputClaim ClaimTypeReferenceId="surName" />
                        <OutputClaim ClaimTypeReferenceId="dateOfBirth" Required="true" />
                        <OutputClaim ClaimTypeReferenceId="VerifiedDateOfBirth" Required="true" />
                    </OutputClaims>
                    <ValidationTechnicalProfiles>
                        <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
                        <ValidationTechnicalProfile ReferenceId="REST-Validation" />
                    </ValidationTechnicalProfiles>
                    <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
                </TechnicalProfile>

When the error occurs I see the following error on the create page:

Do I need to add some additional configuration?

Answer 1

The order of your validation profiles matter in your LocalAccountSignUpWithLogonEmail technical profile. It looks like the first validation that was taking place was the writing of the user account.

Try this instead:

<ValidationTechnicalProfiles>
  <ValidationTechnicalProfile ReferenceId="REST-Validation" />
  <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
</ValidationTechnicalProfiles>