I have reached out to the product team to get more information for you about CSRF attack protection in this scenario. Based on my understanding from the documentation, however, when requesting authentication from the OpenID Connect provider, you should include the otherwise optional state parameter. In OpenID/OAuth2, the state
parameter is a validation against CSRF attacks and is generated (and saved in local storage) on the Client. If it is included in the request, it needs to be returned in the response and from the Authorization application in the callback after successful login and compared with the state
value saved previously on local storage. So your application should verify that the state
values in the request and response are identical to protect against CSRF during the authentication / authorization step. https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
That said, you do not need to include anything new to get the protection that is added from by the synchronizer token in B2C. The synchronizer token is generated by Azure AD B2C itself, and it is added in two places: in a cookie labeled x-ms-cpim-csrf
, and a query string parameter named csrf_token
in the URL of the page sent to the Azure AD B2C. The guide says:
As Azure AD B2C service processes the incoming requests from the browser, it confirms that both the query string and cookie versions of the token exist, and that they exactly match. Also it verifies the elements of the contents of the token to confirm against expected values for the in-progress authentication.
Using the synchronizer token, in order to do anything malicious, users would need the information which only the B2C server knows to map to a valid session, and the browser session cookie which is restricted to our domain.
I've also reached out to the product team though to get more clarity about your exact scenario, and will let you know what they say.
For more information, see:
Cross-Site Request Forgery Prevention
Does OpenID Connect provide CSRF and XSS protection?
-
If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar information.