Hi,
I'm currently testing a client application where I receive the following error messages from OAuth endpoint "login.microsoftonline.com" that allow for user enumeration:
For an incorrect client_id:
"AADSTS700016: Application with identifier 'wrong_client_id' was not found in the directory
For a valid client_id but incorrect client_secret:
"AADSTS7000215: Invalid client secret is provided
I realize it's still very difficult to do since the client ids are GUIDs and the secrets long random strings (although that depends on implementation I guess). So my question is, can these error messages be customized to prevent user enumeration? Are the devs in control of this?
Thanks in advance!