Is it possible to restrict Http Method on B2C login endpoints?
A client I've been working for recently conducted a pentest and the testers flagged up that their Azure B2C custom policy endpoints are vulnerable due to the fact they allow GET as well as POST. Therefore users' email and passwords can be passed as query parameters.
My guess is this isn't possible to change because its Microsoft's underlying technology that specifies what Http protocols are allowed. Just wondering if anyone else has experience of this as the documentation and XML configuration files are a bit of a nightmare.
I've tried applying the metadata property:
<Item Key="HttpBinding">POST</Item>
But it seems this does nothing to restrict the protocols allowed by the endpoints.
This is a false positive "vulnerability" from your pentesting company.
The Authorize endpoint used to initialize the user's journey does not accept a username/password (that'd be the token endpoint - that does only accept a POST but out of the scope of this question).
Let's break down what Azure AD B2C is actually doing.
When you call the authorize endpoint, you are asking to establish an interactive authentication flow. When you enter any data in the forms shown on the screen the data is sent only via HTTP POST to a self-asserted endpoint where it is processed server side (see image below).
If the journey has multiple steps, it then progresses to the next screen using a GET request with a state query parameter (meaning if a user refreshes the page, they can continue the journey without issues), but the data here is not sensitive and definitely does not include passwords.
To answer your question, can you restrict it. No, not without supporting infrastructure. It would be technically possible to add Azure Front Door with a custom domain and block GET requests with some Azure Front Door rules, then block any requests coming direct to b2clogin.com in your custom policy.
Is it worth it... No. Why? Because the OAuth2.0 RFC states GET must be supported and you'd be in violation of the spec:
The authorization server MUST support the use of the HTTP "GET" method [RFC2616] for the authorization endpoint and MAY support the use of the "POST" method as well.
- Re-send dead letter message in Azure Bus
- How to do random sampling of rows in Synapse Analytics serverless SQL pool?
- How to skip admin approval for external users in an Entra ID multi-tenant application
- Bicep How to use external file to be used in Deployment Script?
- Insufficient Privileges error when retrieving AD User's Entra ID from Microsoft Graph API using email address
- What is the correct way to set a cookie expiration when using Azure AD to login users to an ASP.NET Core 5 Web Application?
- How can I Parse Json in a Azure Function
- Alchemy Websockets: Can't host server on Azure
- How to connect secrets value stored in Azure key vault to Azure app service env variables directly
- I need to use some query results in an alert email notification in Azure ApplicationInsights
- Azure DevOps Pull work items in tree level in Excel
- Azure Event Hubs to share specific partitions with specific consumer groups
- Azure AD B2C vs Microsoft Entra External ID
- How to query OAuth2 permission grants for service principals in Entra ID using Microsoft Graph PowerShell
- How to get the app role's value given an app role ID in Entra ID using Microsoft Graph Powershell?
- How to list all directory extension definitions within an Entra ID tenant?
- How to get error message from action in Logic App
- How do I enable my Azure pipeline to checkout a submodule using Git?
- Azure Mobile App using existing database that has identity column not called id
- Devops self hosted agent - submodule checkout SSH host key verification failed
- How can I read a XML file Azure Databricks Spark
- Azure Command-Line Interface (CLI) error running .NET 8 console app
- Azure windows VM extensions are provisioning failed state VM agent is "Ready" but Backup failed at VM running State GuestAgentSnapshotTaskStatusError
- Android scheme not accepted by IOS when submitting react-native app through Expo EAS
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Access Azure DevOps Artifact Feed from different organization
- Duplicate record handling with Azure Data Explorer
- File upload fails with 413 Request Entity Too Large in Azure app service but not while running locally
- Azure Tables: best practices for choosing partition/row keys
- Access Denied when accessing Azure Key vault from Azure Functions