question

RonnieKapoor-4055 avatar image
0 Votes"
RonnieKapoor-4055 asked vipulsparsh-MSFT commented

How to make password encrypted in AD B2C Custom Policy ?

Hi Team,

We are using custom policies for sign in and sign up of ad b2c user flows. The password is shown as plain text in form data when user signs in or signs up which seems to be a security flaw and makes system vulnerable for attack ...how can I encrypt the password being sent..?

azure-ad-b2c
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RonnieKapoor-4055 I just wanted to check in and see if you had any other questions or if you were able to resolve this issue? If you have any other questions, please let us know.
Thank you for your time and patience throughout this issue.

=========================================================================================================
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

Hi @RonnieKapoor-4055 • Thank you for reaching out.

You may consider using Hash claims transformation for this purpose, as mentioned below:

 <ClaimsTransformation Id="HashPasswordWithEmail" TransformationMethod="Hash">
   <InputClaims>
     <InputClaim ClaimTypeReferenceId="password" TransformationClaimType="plaintext" />
     <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="salt" />
   </InputClaims>
   <InputParameters>
     <InputParameter Id="randomizerSecret" DataType="string" Value="B2C_1A_AccountTransformSecret" />
   </InputParameters>
   <OutputClaims>
     <OutputClaim ClaimTypeReferenceId="hashedPassword" TransformationClaimType="hash" />
   </OutputClaims>
 </ClaimsTransformation>

Read more: https://docs.microsoft.com/en-us/azure/active-directory-b2c/general-transformations#hash

Having said that, the traffic to Azure AD B2C is sent over HTTPS and form data is visible when you have access to the private key to decrypt the SSL traffic. If you are checking it using Fiddler or Browser Tools (F12), you must be seeing the decrypted traffic but if some malicious user captures the traffic over the network, he/she won't be able to inspect the SSL traffic.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.