This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 51%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOO%3C/text%3E%3C/svg%3E)
Does Azure B2C support custom policy metadata endpoint security using either basic authorization or certificate? The below does not appear to work as no certificate was sent to the API. I could not locate any documentation indicating that securing for metadata is supported however, I was able to locate documentation indication that RESTAPI security is supported.
@Osibote, Olamipo Why do you want to secure Metadata endpoint in first place? I have never seen any metadata endpoints being secured by basic authentication or certificates regardless of whether it is Azure AD, Azure AD B2C or ADFS.
The endpoint is part of a larger REST API. We have a requirement to secure all endpoints on the API and I do not want this single metatdata endpoint to be an exception. Are you of the opinion that there is little risk in keeping this API open? If so, how about a DOS attack.
Thank you.
@Osibote, Olamipo I checked on this but there is no way to secure metadata endpoints by using basic or certificate based authentication. You may consider storing the metadata to a different location like Azure Storage blob and provide private access for example.
-----------------------------------------------------------------------------------------------------------
Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.
Thanks for the response. I decided not to secure the metadata endpoint after speaking with you and a few others. Thanks for the input.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 36%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAH%3C/text%3E%3C/svg%3E)
Depending on your scenario you can skip exposing metadata endpoints if it is to be consumed by B2C. For instance Apple doesn't provide an openid-configuration endpoint so one can hardcode it instead in the custom policy:
https://appleid.apple.com/auth/authorize
https://appleid.apple.com/auth/token
https://appleid.apple.com/auth/keys
https://appleid.apple.com
For the metadata endpoints exposed by B2C it's different - those you cannot lock down. It is however not considered a threat to have it exposed. (If so MSFT wouldn't expose the AAD Common metadata endpoint.) One would also assume MSFT has anti-DDOS mechanisms in place for core Azure services.
Thanks for the response. I decided not to secure the metadata endpoint after speaking with you and a few others. Thanks for the input.