How to return from B2C custom policy to SPA application with custom error?

I have a custom user attribute that defines if a user is fully registered. Based on this I would like to continue workflow in the policy so a user may be fully registered (obvious path) or redirect user to sign-in journey (problematic path - how to achieve it in my case?).

I have the following workflow:

1. Our service creates a B2C user by Graph API and sends an invitation email to the user. An email has the invitation link to our SPA application with the token in query param (based on this sample). The token contains specific user data like email address and objectId.

2. A user opens the link, the application starts sign-up flow (I have separate sign-in and sign-up).

3. The sign-up flow does steps:

   • Gets user data from the token

     <OrchestrationStep Order="1" Type="GetClaims" CpimIssuerTechnicalProfileReferenceId="IdTokenHint_ExtractClaims" />
     

   • Reads user data from directory

     <OrchestrationStep Order="2" Type="ClaimsExchange">
         <ClaimsExchanges>
             <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
         </ClaimsExchanges>
     </OrchestrationStep>
     

   • Now, I have a claim which says that a user is fully registered or not.

Goal:

If a user is fully registered (clicked the invitation link a second time) I would like to return to the application with information that a sign-in flow should be started. Then, a user would have all options of sign-in (as local user, as AD user, may use forgot password).

What I tried and it doesn't work for me:

I don't want to use SendClaims step, as I don't want to return ID token of that user.

I know that when custom policy fails unexpectedly, it returns one of error codes in location header of authorize response. Then, the application may read this error code and react appropriately. However, I think I cannot use this on my purpose.

Another option which I cannot use is to start sign-in sub yourney directly from sign-up journey. This is because after initial steps of sign-up I got the objectId claim in a bag which I cannot remove. Such objectId causes that even when another user writes his credentials, the inital objectId is taken.

As a workaround, I tried to start dedicated sign-in journey directly from sign-up which would display just the password field (with optional readonly email field). In such way, only a user with known objectId would be authenticated. But I see that the SelfAsserted-LocalAccountSignin-Email which might handle this requires input claim <InputClaim ClaimTypeReferenceId="signInName" DefaultValue="{OIDC:LoginHint}" AlwaysUseDefaultValue="true" />. Going this way I would maybe inject email which would be readonly (I'm not sure about this readonly), but I don't have login_hint parameter set (based on docs) which would fill {OIDC:LoginHint}.

Is there any other option of how to achieve my goal?

If you want to return an OAuth2 error back to the client then you can use the OAuth2 custom error technical profile.

Alternatively, you can stop the user in B2C by displaying a Self Asserted page with no "Continue" or "Cancel" button. To do this set the metadata items setting.showCancelButton and setting.showContinueButton to false.