I am using Microsoft B2C with the default sign in and sign up flow and run the following scenario
1. sign up user with email x@x.com and sign in
2. sign out
3. try to sign up again user x@x.com
Regardless of whether I enter the password created at step 1 or not, I will get the error message "A user with the specified ID already exists. Please choose a different one.".
This means that anyone using a public app which uses B2C for authentication and only by knowing somebody's email, can find out whether that email exists in the b2c tenant or not.
In a similar manner, if I try to sign in with an existing account but wrong password I am getting a different error message ("Your password is incorrect") than if I sign in with an email that does not exist in my b2c userbase ("We can't seem to find your account").
I would prefer to be able to have generic messages, such as "Your email address or password is incorrect." in case of the sign in.
Do you have a way to address the above issue? How can I change my sign up and sign in error messages so that I don't expose this information to my end user?
