question

OsiboteOlamipo-0349 avatar image
0 Votes"
OsiboteOlamipo-0349 asked ·

Azure B2C securing metadata endpoint.

Does Azure B2C support custom policy metadata endpoint security using either basic authorization or certificate? The below does not appear to work as no certificate was sent to the API. I could not locate any documentation indicating that securing for metadata is supported however, I was able to locate documentation indication that RESTAPI security is supported.

alt text

azure-active-directoryazure-ad-b2c
capture.png (23.2 KiB)
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@OsiboteOlamipo-0349 Why do you want to secure Metadata endpoint in first place? I have never seen any metadata endpoints being secured by basic authentication or certificates regardless of whether it is Azure AD, Azure AD B2C or ADFS.

0 Votes 0 · ·

The endpoint is part of a larger REST API. We have a requirement to secure all endpoints on the API and I do not want this single metatdata endpoint to be an exception. Are you of the opinion that there is little risk in keeping this API open? If so, how about a DOS attack.

Thank you.

0 Votes 0 · ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@OsiboteOlamipo-0349 I checked on this but there is no way to secure metadata endpoints by using basic or certificate based authentication. You may consider storing the metadata to a different location like Azure Storage blob and provide private access for example.


Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the response. I decided not to secure the metadata endpoint after speaking with you and a few others. Thanks for the input.

0 Votes 0 · ·
ahelland avatar image
0 Votes"
ahelland answered ·

Depending on your scenario you can skip exposing metadata endpoints if it is to be consumed by B2C. For instance Apple doesn't provide an openid-configuration endpoint so one can hardcode it instead in the custom policy: https://appleid.apple.com/auth/authorize https://appleid.apple.com/auth/token https://appleid.apple.com/auth/keys https://appleid.apple.com

For the metadata endpoints exposed by B2C it's different - those you cannot lock down. It is however not considered a threat to have it exposed. (If so MSFT wouldn't expose the AAD Common metadata endpoint.) One would also assume MSFT has anti-DDOS mechanisms in place for core Azure services.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the response. I decided not to secure the metadata endpoint after speaking with you and a few others. Thanks for the input.

0 Votes 0 · ·