Azure B2C should not leak account existence on signin

Question

Azure B2C should not leak account existence on signin

Frederic 35

I have a custom sign-in policy for Azure B2C and localized the error message to always show a generic error like "user name or password wrong" but when I call the endpoint with Postman I get detailed error codes AADB2C90053 (user not found) AADB2C90054 (invalid password) that would allow a malicious actor to harvest a list of existing user accounts. How can I prevent it? I always want to return the same error code and message in either case.

1 answer

Your answer

Answer 1

James Hamil 27,221 Microsoft Employee Moderator

Hi @Frederic , to prevent detailed error codes from being returned and always show a generic error message, you can create an OAuth2 custom error technical profile in your custom policy. This technical profile allows you to define custom error codes and messages that will be returned to your application.

Here's a high-level overview of the steps you need to follow:

Define an OAuth2 error technical profile.
Set the error code and error message claims.
Call the OAuth2 error technical profile from your user journey.

Hopefully this helps! Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Frederic 35

Thanks for the idea but I tried to call a OAuth2 technical profile from my UserJourney and it seems that my first step always returns before I could even call it. I have those first steps:

<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.custom-signin">
  <ClaimsProviderSelections>
    <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
    <ClaimsProviderSelection TargetClaimsExchangeId="ForgotPasswordExchange" />
  </ClaimsProviderSelections>
  <ClaimsExchanges>
    <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-AccountSignin-Email" />
  </ClaimsExchanges>
</OrchestrationStep>

<OrchestrationStep Order="2" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>objectId</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="ForgotPasswordExchange" TechnicalProfileReferenceId="ForgotPassword" />
  </ClaimsExchanges>
</OrchestrationStep>

<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="ReturnOAuth2Error"> 
  <Preconditions>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>objectId</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
</OrchestrationStep>

There is a similar post (https://learn.microsoft.com/en-us/answers/questions/1146877/how-to-hide-errorcode-in-b2c-selfasserted-response) and the answer is that the code can't be changed

Mate, Zoltan 5 Reputation points

2024-01-22T15:58:10.8+00:00

Hi Frederic, Did you find a solution for the problem? Regards, Zoltan

Share via

Azure B2C should not leak account existence on signin

1 answer

Your answer