Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure AD B2C vulnerable to Open Redirect?

Tags:

redirect

logout

azure

azure-ad-b2c

I am using OWIN & OpenId to authenticate users for my web application using Azure AD B2C, the Startup.Auth.cs has code like so : 

app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                 MetadataAddress = string.Format(AadInstance, Tenant, policy),
                AuthenticationType = policy,
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                RedirectUri = postLogoutRedirectUri,
                Notifications = new OpenIdConnectAuthenticationNotifica....

On signout, it causes a redirect to the postLogoutRedirectUrl like so

https://login.microsoftonline.com/MY_TENANT/oauth2/logout?p=my_policy&post_logout_redirect_uri=https%3A%2F%2Fgoogle.com%2F

The post logout redirect URI is present in the redirect Uri in the portal.

If I stop the browser and change the post logout uri in the address bar to https%3A%2F%2Fevil.com%2F, the redirect happens properly even though this url https://evil.com/ is not in the allowed redirect uri.

Why is AD B2C not stopping the redirect ? is this not open to vulnerability ?

like image 985
Vicky Avatar asked Jan 19 '18 12:01

Vicky

People also ask

What is the difference between Azure Active Directory and B2C?

Azure AD B2C is a separate service from Azure Active Directory (Azure AD). It is built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allow anyone to sign up into those applications with no restrictions on user account.

What is redirect URI in Azure AD?

A redirect URI, or reply URL, is the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token.

How does Azure B2C authentication work?

Azure AD B2C provides various ways in which users can authenticate a user. Users can sign-in to a local account, by using username and password, phone verification (also known as password-less authentication). Email sign-up is enabled by default in your local account identity provider settings.

1 Answers

When you sign in using Azure AD B2C, the B2C service sends a token to the "redirect_uri" (the app). Since a token needs to remain secure, the B2C service asks you to whitelist the URL's where it should send the token to.

When you are signing out, nothing secure is being transmitted from the B2C service back to the app. Therefore, even if a user is redirected to a malicious site, nothing secure is lost.

like image 96
Parakh Avatar answered Sep 20 '22 11:09

Parakh
Sign in to Comment

Related questions

Do custom script extensions specified in ARM templates run each time the VM is restarted?
Azure ML: How to save and process CSV files with semicolon as delimiter?
Azure Active Directory application and service principals
how to set retention period for azure storage tables?
Getting Azure B2C SignUpSignIn Application Claims using MSAL in Xamarin.Forms
UseOpenIdConnectAuthentication - Unable to unprotect the message.State Error Message
Azure Functions - Shared code across Function Apps
In Azure, how to allow non-subscription admins to create new resources
Calling Microsoft Graph API from inside Azure Functions
What does this Azure Search indexing error mean? "The property 'x' does not exist on type 'search.documentFields'..."
Azure Functions - Table Storage Trigger with Azure Functions
Azure Function used to write to queue - can I set metadata?
Azure function App settings is null after deployment
Persisting content across docker restart within an Azure Web App
How to mount azure datadisk in virtual machine
Track System.Diagnostics.Trace logs in Azure portal
Azure Keyvault add Function MSI via ARM
How can I manage robots.txt in Azure app service with a staging slot
Difference between Web API and Azure API APP in Visual Studio
Single Azure function multiple timer trigger

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!