B2C: Securing internal step of a custom policy

asked 2020-09-23T10:43:52.287+00:00
ZS 21 Reputation points

I'm new to B2C so excuse me if my question is about something obvious. There is a custom policy that is used for set password after registration. The policy is working fine and updates the password. If the same link is used again in the browser the policy correctly shows an error that the activation link has expired. The problem is that if someone captures the HTTP requests and particularly the POST request that changes the password and sends it again in a tool with a new value for the password field it actually updates the password in B2C. Could you please recommend how to secure this POST step?

Azure Active Directory External Identities
No comments
{count} votes

Accepted answer
  1. answered 2020-09-23T13:03:34.837+00:00
    AmanpreetSingh-MSFT 55,161 Reputation points

    Hello @ZS

    All B2C calls are by default over HTTPS, which includes the POST call to set or change the password in the B2C directory as well. To modify the body of the POST call, the call needs to be decrypted first.

    If you are storing the password in an external database or external system via REST API Technical Profile, you need to make sure that the service URL in that Technical Profile is also configured to use HTTPS and not HTTP.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    No comments

0 additional answers

Sort by: Most helpful