Client Secret Key Generation Can Generate Invalid Keys

Question

Client Secret Key Generation Can Generate Invalid Keys

Zach Gummow 20

I wasn't sure exactly where to bring up this issue since this is more of a bug report and MS wanted our company to pay for technical support to send this report through the Azure portal. I posted some feedback here: https://feedback.azure.com/d365community/idea/0ba2ec94-7498-ee11-a81c-6045bd7fe045

Contents of that post:

When working with Azure AD B2C, my company has discovered a bug with client secret key generation. Reproduction steps:

Navigate to Certificates and Secrets
Add a new client secret
1. Generate keys until a period is present in the key
Copy the key value
Navigate to Policy Keys
Use the generated client secret key that contains a period for a policy
Wait several minutes for the key change to take effect
Attempt to utilize the relevant B2C key
An error occurs

There seems to be some issue with periods, and perhaps other special characters that are present in generated keys. I don't have a full listing of those problem characters, but a period broke it for me when I was attempting to reproduce the error. Perhaps this is a encoding/decoding issue or other related problem.

We can work around this issue as we can just generate keys until we get one that works, but this key bug should be addressed at some point.

Is there anything else I can do to report this issue?

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-12-12T11:34:34.24+00:00

@Zach Gummow

Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.

Thanks,

Akshay Kaushik
Zach Gummow 20 Reputation points

2023-12-20T20:14:38.91+00:00

Thanks for the reply. Have you had a chance to try reproducing the bug?
Zach Gummow 20 Reputation points

2024-01-03T17:22:49.09+00:00

We do not use the expiry field in Azure AD B2C. We are editing an existing policy key. The error is apparent shortly after an "invalid" client secret is generated and used in our policies. The generated key itself is not treated as valid. We have determined that at least a period is an invalid character when used as a client secret, though there may be more invalid characters.

Accepted answer

0 additional answers

Your answer

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-12-12T11:34:34.24+00:00

@Zach Gummow

Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.

Thanks,

Akshay Kaushik
Zach Gummow 20 Reputation points

2023-12-20T20:14:38.91+00:00

Thanks for the reply. Have you had a chance to try reproducing the bug?
Zach Gummow 20 Reputation points

2024-01-03T17:22:49.09+00:00

We do not use the expiry field in Azure AD B2C. We are editing an existing policy key. The error is apparent shortly after an "invalid" client secret is generated and used in our policies. The generated key itself is not treated as valid. We have determined that at least a period is an invalid character when used as a client secret, though there may be more invalid characters.

Answer 1

Akshay-MSFT 17,956 Microsoft Employee Moderator

@Zach Gummow

Could you please confirm if :

You are using the secret to create a new policy key with expiry time same, as defined while generating the secret?
You are using the secret to edit an existing policy key with expiry time same, as defined while generating the secret?
You are using the secret to create a new policy key with expiry time different from what was defined while generating the secret?

Update #1

@Zach Gummow

I would recommend to create a new policy and use your newly generated secret.

As per, B2C policy key documentation:

The keys in a keyset are not replaceable or removable. If you need to change an existing key:We recommend adding a new key with the activation date set to the current date and time. Azure AD B2C will activate the new key and stop using the prior active key.

Alternatively, you can create a new keyset with the correct keys. Update your policy to use the new keyset, and then remove the old keyset.

Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

Thanks, Akshay Kaushik

Zach Gummow 20 Reputation points

2024-01-31T15:16:31.2833333+00:00

Hello, sorry for the slow reply. Answers being below the comment line made me think this was not responded to. Have you had a chance to try reproducing the issue? What you are describing is what I am doing. I am not attempting to replace a keyset, I am creating new keys. The problem is in the generated keys themselves.
Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2024-02-05T11:18:37.99+00:00

@Zach Gummow

Kindly share the screenshot with steps you are following to reproduce the issue. Thanks, Akshay Kaushik
Zach Gummow 20 Reputation points

2024-02-21T19:26:37.04+00:00

Apologies for the delay. I will prepare these screenshots this week. Thank you for your replies.
Zach Gummow 20 Reputation points

2024-02-23T21:41:03.67+00:00

We had trouble reproducing today in a reasonable amount of time, but due to opaque AAD caching behavior it's never been easy to have reliable repros in a reasonable amount of time. That said, our setup is following the documentation here, and our issue is that when AAD / Microsoft Entra generates a secret with certain special characters following the documentation fails. In my previous reproduction, it was a period in the key. It's as if the secret is improperly encoded / decoded.

It is possible this has been fixed since my previous reproduction of the bug. I will make another attempt to reproduce the issue next week in the event that this was an instance of delayed propagation. If I cannot reproduce the issue in my next attempt I think it's safe to say it's been fixed.
Zach Gummow 20 Reputation points

2024-02-23T21:47:12.3766667+00:00

-This was a duplicate message after I failed to see the previous one appear. I removed this duplicate message after I submitted and saw two.
Zach Gummow 20 Reputation points

2024-03-01T19:48:06.8433333+00:00

I was not able to address this issue this week. I will make an attempt to try to reproduce again next week.
Zach Gummow 20 Reputation points

2024-03-07T19:35:33.25+00:00

Hello again. I was unable to reproduce this error with my second attempt. We have previously had successful reproductions of this issue so I'm thinking that this has been fixed by Microsoft. Thank you for your responses, we can close this thread now.

Share via

Client Secret Key Generation Can Generate Invalid Keys

0 additional answers

Your answer