Azure AD B2C external identites - how to implement CSRF?

Venkita Ramanan, Ramu 56 Reputation points

Hi, For Azure AD B2C connecting to an external identity provider using OpenIDConnect, is any special configuration required to enable CSRF protection?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,628 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 33,621 Reputation points Microsoft Employee

    Hi @Venkita Ramanan, Ramu,

    I have reached out to the product team to get more information for you about CSRF attack protection in this scenario. Based on my understanding from the documentation, however, when requesting authentication from the OpenID Connect provider, you should include the otherwise optional state parameter. In OpenID/OAuth2, the state parameter is a validation against CSRF attacks and is generated (and saved in local storage) on the Client. If it is included in the request, it needs to be returned in the response and from the Authorization application in the callback after successful login and compared with the state value saved previously on local storage. So your application should verify that the state values in the request and response are identical to protect against CSRF during the authentication / authorization step.

    User's image

    That said, you do not need to include anything new to get the protection that is added from by the synchronizer token in B2C. The synchronizer token is generated by Azure AD B2C itself, and it is added in two places: in a cookie labeled x-ms-cpim-csrf, and a query string parameter named csrf_token in the URL of the page sent to the Azure AD B2C. The guide says:

    As Azure AD B2C service processes the incoming requests from the browser, it confirms that both the query string and cookie versions of the token exist, and that they exactly match. Also it verifies the elements of the contents of the token to confirm against expected values for the in-progress authentication.

    Using the synchronizer token, in order to do anything malicious, users would need the information which only the B2C server knows to map to a valid session, and the browser session cookie which is restricted to our domain.

    I've also reached out to the product team though to get more clarity about your exact scenario, and will let you know what they say.

    For more information, see:

    Cross-Site Request Forgery Prevention

    Does OpenID Connect provide CSRF and XSS protection?


    If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar information.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more