question

ncav avatar image
0 Votes"
ncav asked ncav commented

User enumeration on Client Credentials authentication flow?

Hi,
I'm currently testing a client application where I receive the following error messages from OAuth endpoint "login.microsoftonline.com" that allow for user enumeration:

For an incorrect client_id:
"AADSTS700016: Application with identifier 'wrong_client_id' was not found in the directory

For a valid client_id but incorrect client_secret:
"AADSTS7000215: Invalid client secret is provided

I realize it's still very difficult to do since the client ids are GUIDs and the secrets long random strings (although that depends on implementation I guess). So my question is, can these error messages be customized to prevent user enumeration? Are the devs in control of this?


Thanks in advance!

azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

joonasw avatar image joonasw ·

What user enumeration? Client ids are for apps and not users.

0 Votes 0 ·

1 Answer

joonasw avatar image
0 Votes"
joonasw answered ncav commented

As far as I know, there is no way to customize these messages.

This also does not allow user enumeration as client ids are for applications.
Guessing a client id and secret correctly would be the same as guessing a user's username and password correctly. More than likely the user's password is weaker than the application client secret.
Azure AD will also most likely block requests from sources with many wrong attempts such that it becomes effectively impossible.

You can make these risks even smaller by manually specifying longer client secrets or by using client certificates with long keys.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ncav avatar image ncav ·

Well, then let's call it app id enumeration :)

I'm not particularly concerned about this anyway. Really just want to be sure whether these error messages can be customized or not so I can inform my client.

Thanks for the answer!

0 Votes 0 ·