From 62e3fd6e924387c0017dd3d735111d81a7193212 Mon Sep 17 00:00:00 2001
From: Ray Luo <rayluo@microsoft.com>
Date: Tue, 8 Oct 2019 13:18:09 -0700
Subject: [PATCH 1/9] Existing features just work in B2C. We added profile page
 only.

---
 app.py               | 12 ++++++++++--
 templates/index.html |  4 ++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/app.py b/app.py
index 8bd44e8..c4f2299 100644
--- a/app.py
+++ b/app.py
@@ -49,6 +49,14 @@ def logout():
         app_config.AUTHORITY + "/oauth2/v2.0/logout" +
         "?post_logout_redirect_uri=" + url_for("index", _external=True))
 
+# This page is only used in B2C scenario
+@app.route("/profile")
+def profile():
+    app = _build_msal_app(authority=app_config.B2C_PROFILE_AUTHORITY)
+    return redirect(app.get_authorization_request_url([],
+        state=str(uuid.uuid4()),
+        redirect_uri=url_for("authorized", _external=True)))
+
 @app.route("/graphcall")
 def graphcall():
     token = _get_token_from_cache(app_config.SCOPE)
@@ -71,9 +79,9 @@ def _save_cache(cache):
     if cache.has_state_changed:
         session["token_cache"] = cache.serialize()
 
-def _build_msal_app(cache=None):
+def _build_msal_app(cache=None, authority=None):
     return msal.ConfidentialClientApplication(
-        app_config.CLIENT_ID, authority=app_config.AUTHORITY,
+        app_config.CLIENT_ID, authority=authority or app_config.AUTHORITY,
         client_credential=app_config.CLIENT_SECRET, token_cache=cache)
 
 def _get_token_from_cache(scope=None):
diff --git a/templates/index.html b/templates/index.html
index 287b93b..2cc7754 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -11,6 +11,10 @@ <h2>Welcome {{ user.get("name") }}!</h2>
       <li><a href='/graphcall'>Call Microsoft Graph API</a></li>
     {% endif %}
 
+    {% if config.get("B2C_PROFILE_AUTHORITY") %}
+      <li><a href='/profile'>Edit Profile</a></li>
+    {% endif %}
+
     <li><a href="/logout">Logout</a></li>
     <hr>
     <footer style="text-align: right">Powered by MSAL Python {{ version }}</footer>

From 3c8b15e5a06ae24a762611fd22c0cd4669f76c3d Mon Sep 17 00:00:00 2001
From: Ray Luo <rayluo@microsoft.com>
Date: Thu, 31 Oct 2019 14:09:02 -0700
Subject: [PATCH 2/9] Adding a new README_B2C.md for B2C scenario

---
 README_B2C.md     | 167 ++++++++++++++++++++++++++++++++++++++++++++++
 app_config_b2c.py |  33 +++++++++
 2 files changed, 200 insertions(+)
 create mode 100644 README_B2C.md
 create mode 100644 app_config_b2c.py

diff --git a/README_B2C.md b/README_B2C.md
new file mode 100644
index 0000000..3fc61ce
--- /dev/null
+++ b/README_B2C.md
@@ -0,0 +1,167 @@
+---
+page_type: sample
+languages:
+- python
+- html
+products:
+- azure-active-directory
+description: "This sample demonstrates a Python web application calling a Microsoft Graph that is secured using Azure Active Directory."
+urlFragment: ms-identity-python-webapp
+---
+# Integrating B2C feature of Microsoft Identity Platform with a Python web application
+
+## About this sample
+
+> This sample was initially developed as a web app to demonstrate how to
+> [Integrate Microsoft Identity Platform with a Python web application](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/master/README.md).
+> The same code base can also be used to demonstrate how to
+> Integrate B2C feature of Microsoft Identity Platform with a Python web application.
+> All you need is some different steps to register your app in your own B2C tenant,
+> and then feed those different settings into the configuration file of this sample.
+
+This sample covers the following:
+
+* Update the application in Azure AD B2C
+* Configure the sample to use the application
+* Enable authentication in a web application using Azure Active Directory B2C
+* Access a web API using Azure Active Directory B2C
+
+
+### Overview
+
+This sample demonstrates a Python web application that signs-in users with the Microsoft identity platform and calls the Microsoft Graph.
+
+1. The python web application uses the Microsoft Authentication Library (MSAL) to obtain an access token from the Microsoft identity platform (formerly Azure AD v2.0):
+2. The access token is used as a bearer token to authenticate the user when calling the Microsoft Graph.
+
+![Overview](./ReadmeFiles/topology.png)
+
+
+## Prerequisite
+
+1. [Create an Azure Active Directory B2C tenant](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant)
+1. [Register an application in Azure Active Directory B2C](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications).
+1. [Create user flows in Azure Active Directory B2C](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows)
+1. Have [Python 2.7+ or Python 3+](https://www.python.org/downloads/) installed
+
+
+## Update the application
+
+In the tutorial that you completed as part of the prerequisites, you added a web application in Azure AD B2C.
+To enable communication with the sample in this tutorial, you need to add a redirect URI to the application in Azure AD B2C.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the **Directory + subscription** filter in the top menu and choosing the directory that contains your tenant.
+1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
+1. Select **Applications**, and then select the *webapp1* application.
+1. Under **Reply URL**, add something like `http://localhost:5000/getAToken`.
+
+   > Just remember, when setting up **Reply URL**, also give it a path,
+   > so that it would look something like `https//your_domain.com:5000/getAToken`.
+   > You could use any port or any path.
+   > Later we will set this sample to match what you register here.
+
+1. Select **Save**.
+1. On the properties page, record the application ID that you'll use when you configure the web application.
+1. Select **Keys**, select **Generate key**, and select **Save**. Record the key that you'll use when you configure the web application.
+
+
+## Configure the sample
+
+### Step 1:  Clone or download this repository
+
+From your shell or command line:
+
+```Shell
+git clone https://github.com/Azure-Samples/ms-identity-python-webapp.git
+```
+
+or download and extract the repository .zip file.
+
+> Given that the name of the sample is quite long, you might want to clone it in a folder close to the root of your hard drive, to avoid file name length limitations when running on Windows.
+
+
+### Step 2:  Install sample dependency
+
+You will need to install dependencies using pip as follows:
+
+```Shell
+$ pip install -r requirements.txt
+```
+
+### Step 3:  Configure the sample to use your Azure AD tenant
+
+In the steps below, "ClientID" is the same as "Application ID" or "AppId".
+
+#### Configure the pythonwebapp project
+
+> Note: if you used the setup scripts, the changes below may have been applied for you
+
+1. Use the `app_config_b2c.py` template to replace `app_config.py`.
+1. Open the (now replaced) `app_config.py` file
+
+   * Update the value of `b2c_tenant` with the name of the Azure AD B2C tenant that you created.
+     For example, replace `fabrikamb2c` with `contoso`.
+   * Replace the value of `CLIENT_ID` with the application ID that you recorded.
+   * Replace the value of `CLIENT_SECRET` with the key that you recorded.
+   * Replace the value of `signupsignin_user_flow` with `b2c_1_signupsignin1`.
+   * Replace the value of `editprofile_user_flow` with `b2c_1_profileediting1`.
+   * Replace the value of `REDIRECT_PATH` with the path part you set up in **Reply URL**.
+     For example, `/getAToken`. It will be used by this sample app to form
+     an absolute URL which matches your full **Reply URL**.
+   * You do not have to configure the `ENDPOINT` and `SCOPE` right now
+
+
+## Enable authentication
+
+Run app.py from shell or command line. Note that the port needs to match what you've set up in your redirect_uri:
+```Shell
+$ flask run --port 5000
+```
+
+Now you would be able to visit `http://localhost:5000` and use the sign-in feature.
+This is how you enable authentication in a web application using Azure Active Directory B2C.
+
+
+## Access a web API
+
+This sample itself does not act as a web API.
+Here we assume you already have your web API up and running elsewhere in your B2C tenant,
+with a specific endpoint, protected by a specific scope,
+and your sample app is already granted permission to access that web API.
+
+Now you can configure this sample to access that web API.
+
+1. Open the (now replaced) `app_config.py` file
+   * Replace the value of `ENDPOINT` with the actual endpoint of your web API.
+   * Replace the value of `SCOPE` with a list of the actual scopes of your web API.
+     For example, write them as `["demo.read", "demo.write"]`.
+
+Now, re-run your web app sample, and you will find a new link showed up,
+and you can access the web API using Azure Active Directory B2C.
+
+
+## Community Help and Support
+
+Use [Stack Overflow](http://stackoverflow.com/questions/tagged/msal) to get support from the community.
+Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
+Make sure that your questions or comments are tagged with [`azure-active-directory` `adal` `msal` `python`].
+
+If you find a bug in the sample, please raise the issue on [GitHub Issues](../../issues).
+
+To provide a recommendation, visit the following [User Voice page](https://feedback.azure.com/forums/169401-azure-active-directory).
+
+## Contributing
+
+If you'd like to contribute to this sample, see [CONTRIBUTING.MD](/CONTRIBUTING.md).
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+
+## More information
+
+For more information, see MSAL.Python's [conceptual documentation]("https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki"):
+
+
+For more information about web apps scenarios on the Microsoft identity platform see [Scenario: Web app that calls web APIs](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-overview)
+
+For more information about how OAuth 2.0 protocols work in this scenario and other scenarios, see [Authentication Scenarios for Azure AD](http://go.microsoft.com/fwlink/?LinkId=394414).
diff --git a/app_config_b2c.py b/app_config_b2c.py
new file mode 100644
index 0000000..f9438bc
--- /dev/null
+++ b/app_config_b2c.py
@@ -0,0 +1,33 @@
+import os
+
+b2c_tenant = "fabrikamb2c"
+signupsignin_user_flow = "b2c_1_signupsignin1"
+editprofile_user_flow = "b2c_1_profileediting1"
+authority_template = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoftonline.com/{user_flow}"
+
+CLIENT_SECRET = "Enter_the_Client_Secret_Here" # Our Quickstart uses this placeholder
+# In your production app, we recommend you to use other ways to store your secret,
+# such as KeyVault, or environment variable as described in Flask's documentation here
+# https://flask.palletsprojects.com/en/1.1.x/config/#configuring-from-environment-variables
+# CLIENT_SECRET = os.getenv("CLIENT_SECRET")
+# if not CLIENT_SECRET:
+#     raise ValueError("Need to define CLIENT_SECRET environment variable")
+
+AUTHORITY = authority_template.format(
+    tenant=b2c_tenant, user_flow=signupsignin_user_flow)
+PROFILE_AUTHORITY = authority_template.format(
+    tenant=b2c_tenant, user_flow=editprofile_user_flow)
+
+CLIENT_ID = "Enter_the_Application_Id_here"
+
+REDIRECT_PATH = "/getAToken"  # It will be used to form an absolute URL
+    # And that absolute URL must match your app's redirect_uri set in AAD
+
+# This is the resource that you are going to access in your B2C tenant
+ENDPOINT = ''
+
+# These are the scopes that you defined for the web API
+SCOPE = ["demo.read", "demo.write"]
+
+SESSION_TYPE = "filesystem"  # So token cache will be stored in server-side session
+

From baf2655e6d354381ab5b412f18c66fb8f03d57b9 Mon Sep 17 00:00:00 2001
From: Ray Luo <rayluo@microsoft.com>
Date: Fri, 1 Nov 2019 11:19:54 -0700
Subject: [PATCH 3/9] Fix wrong setting in configuration template

---
 app_config_b2c.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app_config_b2c.py b/app_config_b2c.py
index f9438bc..1b99fda 100644
--- a/app_config_b2c.py
+++ b/app_config_b2c.py
@@ -3,7 +3,7 @@
 b2c_tenant = "fabrikamb2c"
 signupsignin_user_flow = "b2c_1_signupsignin1"
 editprofile_user_flow = "b2c_1_profileediting1"
-authority_template = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoftonline.com/{user_flow}"
+authority_template = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user_flow}"
 
 CLIENT_SECRET = "Enter_the_Client_Secret_Here" # Our Quickstart uses this placeholder
 # In your production app, we recommend you to use other ways to store your secret,

From 85016826605b92e39b94dfe95b915b5d22a52ff5 Mon Sep 17 00:00:00 2001
From: Ray Luo <rayluo@microsoft.com>
Date: Fri, 1 Nov 2019 11:20:55 -0700
Subject: [PATCH 4/9] Change "Microsoft Graph" to "web api"

---
 README_B2C.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README_B2C.md b/README_B2C.md
index 3fc61ce..5837c48 100644
--- a/README_B2C.md
+++ b/README_B2C.md
@@ -5,17 +5,17 @@ languages:
 - html
 products:
 - azure-active-directory
-description: "This sample demonstrates a Python web application calling a Microsoft Graph that is secured using Azure Active Directory."
+description: "This sample demonstrates a Python web application calling a web api that is secured using Azure Active Directory."
 urlFragment: ms-identity-python-webapp
 ---
-# Integrating B2C feature of Microsoft Identity Platform with a Python web application
+# Integrating B2C feature of Microsoft identity platform with a Python web application
 
 ## About this sample
 
 > This sample was initially developed as a web app to demonstrate how to
 > [Integrate Microsoft Identity Platform with a Python web application](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/master/README.md).
 > The same code base can also be used to demonstrate how to
-> Integrate B2C feature of Microsoft Identity Platform with a Python web application.
+> Integrate B2C of Microsoft identity platform with a Python web application.
 > All you need is some different steps to register your app in your own B2C tenant,
 > and then feed those different settings into the configuration file of this sample.
 
@@ -29,10 +29,10 @@ This sample covers the following:
 
 ### Overview
 
-This sample demonstrates a Python web application that signs-in users with the Microsoft identity platform and calls the Microsoft Graph.
+This sample demonstrates a Python web application that signs-in users with the Microsoft identity platform and calls another web api.
 
 1. The python web application uses the Microsoft Authentication Library (MSAL) to obtain an access token from the Microsoft identity platform (formerly Azure AD v2.0):
-2. The access token is used as a bearer token to authenticate the user when calling the Microsoft Graph.
+2. The access token is used as a bearer token to authenticate the user when calling the web api.
 
 ![Overview](./ReadmeFiles/topology.png)
 

From e662db4ec691d71e957c43ac5c5c4324d40ccf16 Mon Sep 17 00:00:00 2001
From: Ray Luo <rayluo@microsoft.com>
Date: Fri, 1 Nov 2019 11:25:05 -0700
Subject: [PATCH 5/9] fixup! Existing features just work in B2C. We added
 profile page only.

---
 app.py               | 4 ++--
 templates/index.html | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app.py b/app.py
index c4f2299..d33f022 100644
--- a/app.py
+++ b/app.py
@@ -50,8 +50,8 @@ def logout():
         "?post_logout_redirect_uri=" + url_for("index", _external=True))
 
 # This page is only used in B2C scenario
-@app.route("/profile")
-def profile():
+@app.route("/edit_profile")
+def edit_profile():
     app = _build_msal_app(authority=app_config.B2C_PROFILE_AUTHORITY)
     return redirect(app.get_authorization_request_url([],
         state=str(uuid.uuid4()),
diff --git a/templates/index.html b/templates/index.html
index 2cc7754..ff28ad5 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -12,7 +12,7 @@ <h2>Welcome {{ user.get("name") }}!</h2>
     {% endif %}
 
     {% if config.get("B2C_PROFILE_AUTHORITY") %}
-      <li><a href='/profile'>Edit Profile</a></li>
+      <li><a href='/edit_profile'>Edit Profile</a></li>
     {% endif %}
 
     <li><a href="/logout">Logout</a></li>

From 16d1a2f22a8fb238a36bfe13c25609c9a02e8957 Mon Sep 17 00:00:00 2001
From: Ray Luo <rayluo@microsoft.com>
Date: Fri, 1 Nov 2019 12:54:05 -0700
Subject: [PATCH 6/9] fixup! Existing features just work in B2C. We added
 profile page only.

---
 app_config_b2c.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app_config_b2c.py b/app_config_b2c.py
index 1b99fda..386cd1f 100644
--- a/app_config_b2c.py
+++ b/app_config_b2c.py
@@ -15,7 +15,7 @@
 
 AUTHORITY = authority_template.format(
     tenant=b2c_tenant, user_flow=signupsignin_user_flow)
-PROFILE_AUTHORITY = authority_template.format(
+B2C_PROFILE_AUTHORITY = authority_template.format(
     tenant=b2c_tenant, user_flow=editprofile_user_flow)
 
 CLIENT_ID = "Enter_the_Application_Id_here"

From fd208774c4b4d84133f89d6c661e549325e7d584 Mon Sep 17 00:00:00 2001
From: Ray Luo <rayluo.mba@gmail.com>
Date: Fri, 1 Nov 2019 13:56:11 -0700
Subject: [PATCH 7/9] Address PR comment

https://github.com/Azure-Samples/ms-identity-python-webapp/pull/4/files#r341675904
---
 README_B2C.md | 24 +++++++-----------------
 1 file changed, 7 insertions(+), 17 deletions(-)

diff --git a/README_B2C.md b/README_B2C.md
index 5837c48..574122d 100644
--- a/README_B2C.md
+++ b/README_B2C.md
@@ -47,23 +47,13 @@ This sample demonstrates a Python web application that signs-in users with the M
 
 ## Update the application
 
-In the tutorial that you completed as part of the prerequisites, you added a web application in Azure AD B2C.
-To enable communication with the sample in this tutorial, you need to add a redirect URI to the application in Azure AD B2C.
+In the tutorial that you completed as part of [the prerequisites, you added a web application in Azure AD B2C](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications).
+To enable communication with the sample in this tutorial, you need to add a redirect URI to that application in Azure AD B2C.
 
-1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the **Directory + subscription** filter in the top menu and choosing the directory that contains your tenant.
-1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
-1. Select **Applications**, and then select the *webapp1* application.
-1. Under **Reply URL**, add something like `http://localhost:5000/getAToken`.
-
-   > Just remember, when setting up **Reply URL**, also give it a path,
-   > so that it would look something like `https//your_domain.com:5000/getAToken`.
-   > You could use any port or any path.
-   > Later we will set this sample to match what you register here.
-
-1. Select **Save**.
-1. On the properties page, record the application ID that you'll use when you configure the web application.
-1. Select **Keys**, select **Generate key**, and select **Save**. Record the key that you'll use when you configure the web application.
+* Modify the **Reply URL**, add something like `http://localhost:5000/getAToken` or `https//your_domain.com:5000/getAToken`.
+  You could use any port or any path. Later we will set this sample to match what you register here.
+* On the properties page, record the application ID that you'll use when you configure the web application.
+* Also generate a key for your web application. Record the key that you'll use when you configure this sample.
 
 
 ## Configure the sample
@@ -114,7 +104,7 @@ In the steps below, "ClientID" is the same as "Application ID" or "AppId".
 
 ## Enable authentication
 
-Run app.py from shell or command line. Note that the port needs to match what you've set up in your redirect_uri:
+Run app.py from shell or command line. Note that the port needs to match what you've set up in your **Reply URL**:
 ```Shell
 $ flask run --port 5000
 ```

From 3315a62600644b74af5175d94ccd29b1740d14bf Mon Sep 17 00:00:00 2001
From: Ray Luo <rayluo.mba@gmail.com>
Date: Fri, 1 Nov 2019 15:17:15 -0700
Subject: [PATCH 8/9] Apply suggestions from Marsh's code review

Co-Authored-By: Marsh Macy <mmacy@users.noreply.github.com>
---
 README_B2C.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/README_B2C.md b/README_B2C.md
index 574122d..ee386e1 100644
--- a/README_B2C.md
+++ b/README_B2C.md
@@ -37,7 +37,7 @@ This sample demonstrates a Python web application that signs-in users with the M
 ![Overview](./ReadmeFiles/topology.png)
 
 
-## Prerequisite
+## Prerequisites
 
 1. [Create an Azure Active Directory B2C tenant](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant)
 1. [Register an application in Azure Active Directory B2C](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications).
@@ -47,13 +47,13 @@ This sample demonstrates a Python web application that signs-in users with the M
 
 ## Update the application
 
-In the tutorial that you completed as part of [the prerequisites, you added a web application in Azure AD B2C](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications).
+In the tutorial that you completed as part of the prerequisites, you [added a web application in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-register-applications).
 To enable communication with the sample in this tutorial, you need to add a redirect URI to that application in Azure AD B2C.
 
-* Modify the **Reply URL**, add something like `http://localhost:5000/getAToken` or `https//your_domain.com:5000/getAToken`.
+* Modify an existing or add a new **Reply URL**, for example `http://localhost:5000/getAToken` or `https://your_domain.com:5000/getAToken`.
   You could use any port or any path. Later we will set this sample to match what you register here.
 * On the properties page, record the application ID that you'll use when you configure the web application.
-* Also generate a key for your web application. Record the key that you'll use when you configure this sample.
+* Also generate a key (client secret) for your web application. Record the key that you'll use when you configure this sample.
 
 
 ## Configure the sample
@@ -73,7 +73,7 @@ or download and extract the repository .zip file.
 
 ### Step 2:  Install sample dependency
 
-You will need to install dependencies using pip as follows:
+Install the dependencies using pip:
 
 ```Shell
 $ pip install -r requirements.txt
@@ -109,7 +109,7 @@ Run app.py from shell or command line. Note that the port needs to match what yo
 $ flask run --port 5000
 ```
 
-Now you would be able to visit `http://localhost:5000` and use the sign-in feature.
+You should now be able to visit `http://localhost:5000` and use the sign-in feature.
 This is how you enable authentication in a web application using Azure Active Directory B2C.
 
 

From 1ef77e284f65e8ba8476156f530d1784d2851b3b Mon Sep 17 00:00:00 2001
From: Ray Luo <rayluo@microsoft.com>
Date: Wed, 6 Nov 2019 11:26:50 -0800
Subject: [PATCH 9/9] Add ResetPassword behavior, and refactor based on latest
 master

---
 README_B2C.md             | 1 +
 app.py                    | 8 --------
 app_config_b2c.py         | 3 +++
 templates/auth_error.html | 5 +++++
 templates/index.html      | 2 +-
 templates/login.html      | 4 ++++
 6 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/README_B2C.md b/README_B2C.md
index ee386e1..8a18121 100644
--- a/README_B2C.md
+++ b/README_B2C.md
@@ -96,6 +96,7 @@ In the steps below, "ClientID" is the same as "Application ID" or "AppId".
    * Replace the value of `CLIENT_SECRET` with the key that you recorded.
    * Replace the value of `signupsignin_user_flow` with `b2c_1_signupsignin1`.
    * Replace the value of `editprofile_user_flow` with `b2c_1_profileediting1`.
+   * Replace the value of `resetpassword_user_flow` with `b2c_1_passwordreset1`.
    * Replace the value of `REDIRECT_PATH` with the path part you set up in **Reply URL**.
      For example, `/getAToken`. It will be used by this sample app to form
      an absolute URL which matches your full **Reply URL**.
diff --git a/app.py b/app.py
index 62feab3..06ee84d 100644
--- a/app.py
+++ b/app.py
@@ -50,14 +50,6 @@ def logout():
         app_config.AUTHORITY + "/oauth2/v2.0/logout" +
         "?post_logout_redirect_uri=" + url_for("index", _external=True))
 
-# This page is only used in B2C scenario
-@app.route("/edit_profile")
-def edit_profile():
-    app = _build_msal_app(authority=app_config.B2C_PROFILE_AUTHORITY)
-    return redirect(app.get_authorization_request_url([],
-        state=str(uuid.uuid4()),
-        redirect_uri=url_for("authorized", _external=True)))
-
 @app.route("/graphcall")
 def graphcall():
     token = _get_token_from_cache(app_config.SCOPE)
diff --git a/app_config_b2c.py b/app_config_b2c.py
index 386cd1f..01e1dbc 100644
--- a/app_config_b2c.py
+++ b/app_config_b2c.py
@@ -3,6 +3,7 @@
 b2c_tenant = "fabrikamb2c"
 signupsignin_user_flow = "b2c_1_signupsignin1"
 editprofile_user_flow = "b2c_1_profileediting1"
+resetpassword_user_flow = "b2c_1_passwordreset1"
 authority_template = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user_flow}"
 
 CLIENT_SECRET = "Enter_the_Client_Secret_Here" # Our Quickstart uses this placeholder
@@ -17,6 +18,8 @@
     tenant=b2c_tenant, user_flow=signupsignin_user_flow)
 B2C_PROFILE_AUTHORITY = authority_template.format(
     tenant=b2c_tenant, user_flow=editprofile_user_flow)
+B2C_RESET_PASSWORD_AUTHORITY = authority_template.format(
+    tenant=b2c_tenant, user_flow=resetpassword_user_flow)
 
 CLIENT_ID = "Enter_the_Application_Id_here"
 
diff --git a/templates/auth_error.html b/templates/auth_error.html
index aab8ec7..2207965 100644
--- a/templates/auth_error.html
+++ b/templates/auth_error.html
@@ -2,6 +2,11 @@
 <html lang="en">
 <head>
     <meta charset="UTF-8">
+
+    {% if config.get("B2C_RESET_PASSWORD_AUTHORITY") and "AADB2C90118" in result.get("error_description") %}
+      <!-- See also https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies#linking-user-flows -->
+      <meta http-equiv="refresh" content='0;{{_build_auth_url(authority=config["B2C_RESET_PASSWORD_AUTHORITY"])}}'>
+    {% endif %}
 </head>
 <body>
     <h2>Login Failure</h2>
diff --git a/templates/index.html b/templates/index.html
index ff28ad5..1211594 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -12,7 +12,7 @@ <h2>Welcome {{ user.get("name") }}!</h2>
     {% endif %}
 
     {% if config.get("B2C_PROFILE_AUTHORITY") %}
-      <li><a href='/edit_profile'>Edit Profile</a></li>
+      <li><a href='{{_build_auth_url(authority=config["B2C_PROFILE_AUTHORITY"])}}'>Edit Profile</a></li>
     {% endif %}
 
     <li><a href="/logout">Logout</a></li>
diff --git a/templates/login.html b/templates/login.html
index 135d1b9..b3647a7 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -8,6 +8,10 @@ <h1>Microsoft Identity Python Web App</h1>
 
     <li><a href='{{ auth_url }}'>Sign In</a></li>
 
+    {% if config.get("B2C_RESET_PASSWORD_AUTHORITY") %}
+    <li><a href='{{_build_auth_url(authority=config["B2C_RESET_PASSWORD_AUTHORITY"])}}'>Reset Password</a></li>
+    {% endif %}
+
     <hr>
     <footer style="text-align: right">Powered by MSAL Python {{ version }}</footer>
 </body>