Azure AD B2C vulnerable to Open Redirect?

问题

I am using OWIN & OpenId to authenticate users for my web application using Azure AD B2C, the Startup.Auth.cs has code like so :

app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                 MetadataAddress = string.Format(AadInstance, Tenant, policy),
                AuthenticationType = policy,
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                RedirectUri = postLogoutRedirectUri,
                Notifications = new OpenIdConnectAuthenticationNotifica....

On signout, it causes a redirect to the postLogoutRedirectUrl like so

https://login.microsoftonline.com/MY_TENANT/oauth2/logout?p=my_policy&post_logout_redirect_uri=https%3A%2F%2Fgoogle.com%2F

The post logout redirect URI is present in the redirect Uri in the portal.

If I stop the browser and change the post logout uri in the address bar to https%3A%2F%2Fevil.com%2F, the redirect happens properly even though this url https://evil.com/ is not in the allowed redirect uri.

Why is AD B2C not stopping the redirect ? is this not open to vulnerability ?

回答1:

When you sign in using Azure AD B2C, the B2C service sends a token to the "redirect_uri" (the app). Since a token needs to remain secure, the B2C service asks you to whitelist the URL's where it should send the token to.

When you are signing out, nothing secure is being transmitted from the B2C service back to the app. Therefore, even if a user is redirected to a malicious site, nothing secure is lost.

回答2:

You can change this behavior to force Azure AD B2C to only process the logout re-direct if a valid ID token is passed in as a parameter in the sign out request. To get B2C to automatically include the ID token, and check for its existence, simply edit your sign-in / sign-up policy within the Azure Portal, ie:

Alternatively, if you are using custom policies, you can add the SingleSignOn element to the UserJourneyBehaviors section, and set the EnforceIdTokenHintOnLogout to true, ie:

<UserJourneyBehaviors>
     <SingleSignOn Scope="Tenant" EnforceIdTokenHintOnLogout="true" />

</UserJourneyBehaviors>

来源：https://stackoverflow.com/questions/48340714/azure-ad-b2c-vulnerable-to-open-redirect