User enumeration on Client Credentials authentication flow?

ncav 21 Reputation points
2020-03-04T15:24:19.127+00:00

Hi,
I'm currently testing a client application where I receive the following error messages from OAuth endpoint "login.microsoftonline.com" that allow for user enumeration:

For an incorrect client_id:
"AADSTS700016: Application with identifier 'wrong_client_id' was not found in the directory

For a valid client_id but incorrect client_secret:
"AADSTS7000215: Invalid client secret is provided

I realize it's still very difficult to do since the client ids are GUIDs and the secrets long random strings (although that depends on implementation I guess). So my question is, can these error messages be customized to prevent user enumeration? Are the devs in control of this?

Thanks in advance!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,665 questions
Accepted answer
  1. Joonas Westlin 181 Reputation points MVP
    2020-03-04T15:34:22.58+00:00

    As far as I know, there is no way to customize these messages.

    This also does not allow user enumeration as client ids are for applications.
    Guessing a client id and secret correctly would be the same as guessing a user's username and password correctly. More than likely the user's password is weaker than the application client secret.
    Azure AD will also most likely block requests from sources with many wrong attempts such that it becomes effectively impossible.

    You can make these risks even smaller by manually specifying longer client secrets or by using client certificates with long keys.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest