This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 44%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
Hi, For Azure AD B2C connecting to an external identity provider using OpenIDConnect, is any special configuration required to enable CSRF protection?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
I have reached out to the product team to get more information for you about CSRF attack protection in this scenario. Based on my understanding from the documentation, however, when requesting authentication from the OpenID Connect provider, you should include the otherwise optional state parameter. In OpenID/OAuth2, the state parameter is a validation against CSRF attacks and is generated (and saved in local storage) on the Client. If it is included in the request, it needs to be returned in the response and from the Authorization application in the callback after successful login and compared with the state value saved previously on local storage. So your application should verify that the state values in the request and response are identical to protect against CSRF during the authentication / authorization step. https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
That said, you do not need to include anything new to get the protection that is added from by the synchronizer token in B2C. The synchronizer token is generated by Azure AD B2C itself, and it is added in two places: in a cookie labeled x-ms-cpim-csrf, and a query string parameter named csrf_token in the URL of the page sent to the Azure AD B2C. The guide says:
As Azure AD B2C service processes the incoming requests from the browser, it confirms that both the query string and cookie versions of the token exist, and that they exactly match. Also it verifies the elements of the contents of the token to confirm against expected values for the in-progress authentication.
Using the synchronizer token, in order to do anything malicious, users would need the information which only the B2C server knows to map to a valid session, and the browser session cookie which is restricted to our domain.
I've also reached out to the product team though to get more clarity about your exact scenario, and will let you know what they say.
For more information, see:
Cross-Site Request Forgery Prevention
Does OpenID Connect provide CSRF and XSS protection?
-
If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar information.
Thanks so much, that explains why the state is already included in the request. During the OpenIDConnect flow, there is no method to manually insert a header so I was confused. Thanks for digging this up.
Thanks for following up!
I reached out to a colleague about this too and based on his lab, by default Azure AD B2C includes the state parameter when federating with external providers using OIDC even if it's not specified in the Technical Profile Metadata. The state parameter also encodes information about the user's state in the app before the authentication request occurred. For example, the page the user was on, or the user flow that was being executed. CSRF cookie and header is enabled by default and added to the Azure AD B2C request as an extra layer of protection.
Additional comments from the developer:
The dev said that we include the state parameter in requests sent to the IDP which will have info about our userjourney state. There should be no special state parameter needed from customers for talking to external IDPs.
If you send the state parameter in an authorize request to B2C's OAuth endpoint then that is not sent to the IDP. We echo it back when we reply back with the token.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more