Azure B2C should not leak account existence on signin

Frederic 35 Reputation points
2023-09-18T09:28:53.7733333+00:00

I have a custom sign-in policy for Azure B2C and localized the error message to always show a generic error like "user name or password wrong" but when I call the endpoint with Postman I get detailed error codes AADB2C90053 (user not found) AADB2C90054 (invalid password) that would allow a malicious actor to harvest a list of existing user accounts. How can I prevent it? I always want to return the same error code and message in either case.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,166 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. James Hamil 26,981 Reputation points Microsoft Employee
    2023-09-18T18:47:00.4133333+00:00

    Hi @Frederic , to prevent detailed error codes from being returned and always show a generic error message, you can create an OAuth2 custom error technical profile in your custom policy. This technical profile allows you to define custom error codes and messages that will be returned to your application.

    Here's a high-level overview of the steps you need to follow:

    1. Define an OAuth2 error technical profile.
    2. Set the error code and error message claims.
    3. Call the OAuth2 error technical profile from your user journey.

    Hopefully this helps! Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.