Secure REST request on AD B2C Custom policy

Bruno Caruso 41 Reputation points

Hi there,

I have a Custom Policy to handle authentication on my SPA, and in this Custom Policy flow i have a email verification that calls my REST API to check if the email domain is already registered on my database.

I'm handling authentication with App Service + Allow unauthenticated requests (passing code to my Azure Function on Custom Policy) but i think it's a better approach (and more secure) to improve an extra authentication in this Azure Function, the problem is that in that moment the user is not authenticated yet because is trying to register, so, how i can handle the authentication in this step? Maybe a Client Certificate auth? or only with the code it's okay? The code is only in the Custom Policy so is handled on Azure AD B2C and i think the end user cannot view the REST request.

Thanks! :)

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,571 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,620 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Alfredo Revilla (MSFT) 26,756 Reputation points

    Hello, to store (hard code) codes or secrets in your Azure AD B2C custom policies or application source code is not a recommended practice.

    You can secure the communication between your custom policy and API using a client certificate or an OAuth2 bearer token. Secrets involved in any of the aforementioned approaches will be stored as policy keys, access tokens can be retrieved on the fly or stored as a policy key too.

    Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.

    1 person found this answer helpful.

  2. Alfredo Revilla (MSFT) 26,756 Reputation points

    Always store secrets such as a code in policy keys. That being said client credentials will always beat secrets since the former are asymmetric and the later symmetric. That is the former does not share its private key/secret while the latter does.

    0 comments No comments