0

For multiple applications. we are using AAD B2C for our authentication system. We have opted for custom policies. One of the reasons for this is that we want to allow different user groups to access different applications, in the following way:

  • superusers can access all Applications, including our CMS
  • product admins can access the customer facing CMS and the end product
  • product users can access the end product

For this, we have the policies:

  • B2C_1A_xxx_cms
  • B2C_1a_xxx_product
  • B2C_1A_xxx_customercms

In all policies, we do an API call to an internal authentication API, which validates the user's group memberships throught MS Graph API. The problem is that these policies seem to be able to be used interchangibly:

https://{tenant}.b2clogin.com/{tenant}/b2c_1a_xxx_cms/oauth2/v2.0/authorize?response_type=id_token&scope={scope}%20openid%20profile&client_id={client_id}&redirect_uri={redirect_uri}&nonce={nonce}&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.4.4&client-request-id={client-request-id}&response_mode=fragment

In the above url, users can access the CMS by replacing b2c_1a_xxx_cms with b2c_1a_xxx_product, thus bypassing the group-based validation in place for the specific application.

The original implementation of our policies are based on this tutorial: https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started

How can we configure these policies in such a way that changing the URL and trying to log in is impossible?

Maarten B
  • 165
  • 12
  • I don't understand how your API bypasses the group-based validation. Generally, the API should validate the sign-in user's group memberships no matter which policy and application you are using. Could you explain it in more detail? – Allen Wu Feb 01 '21 at 06:34
  • Sure! The API's validation fires and works perfectly. The problem is that, during login, a user can "select" a different policy by editing the login URL. The difference in policy causes a different API method to be executed, which validates for different groups. – Maarten B Feb 01 '21 at 06:57
  • So for example: User A from Group A can access API A via policy A. User B from Group B can access API B via policy B. Now User B modify the url to sign in with policy A and call API A. Is my understanding correct? But in this case I don't think user B can access API A successfully because he can't pass the group membership authentication in policy A. – Allen Wu Feb 01 '21 at 07:06
  • Correct me if there is any misunderstanding. – Allen Wu Feb 01 '21 at 07:07
  • API-side group validation is done independently, and it is indeed impossible to access the API for user B. The problem here lies in the generation of the JWT token which allows access to the front-end. Custom API hooks are used during the login flow – Maarten B Feb 01 '21 at 08:57
  • Hi did you check my answer? – Allen Wu Feb 04 '21 at 06:22

2 Answers2

0

Based on your requirement, I think you need a the application assignment to users feature.

But it is only available in Azure AD rather than Azure B2C.

So I suggest that you use custom attribute to control the access of the user for different applications.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
0

“ we do an API call to an internal authentication API, which validates the user's group memberships throught MS Graph API. ”

When User A calls Policy B, this API should return back a claim into the journey that prevents it from issuing a JWT. That can be achieved by creating a “block page” using a self asserted technical profile. Call this from the orchestration step using this claim from the API to trigger it with a precondition.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20