samples
samples copied to clipboard
azure-ad-b2c
Blocking direct access to Azure B2C tenant isn't working as expected
I followed this Github article to block direct access to Azure B2C.
https://github.com/azure-ad-b2c/samples/tree/master/policies/check-host-name
When I replay the selfasserted request (taken from browser developer tools by copying it as curl bash)with credentials by replacing the hostname to direct b2c hostname, it still allows the request even though the additional checks before login-NonInteractive are in place. Looks like hostName claim is still using the frontdoor hostname. The CheckIfHostNameIsAllowed validation technical profile that was called before login-NonInteractive is not fetching the right hostname.
Could you please look into this and let me know why this is happening?
Did you set this to your tenant name?
https://github.com/azure-ad-b2c/samples/blob/master/policies/check-host-name/policy/B2C_1A_TrustFrameworkExtensions_HostName.xml#L79
I made an update which should resolve this. Please test and close this issue if it works. https://github.com/azure-ad-b2c/samples/commit/539530f866e8fe9e22b0dcedb32457660132e4dd
Yes, I did set that to my tenant name. The problem is even though I change the host name in the request (that I make from PostMan) to direct B2C host name, it looks like custom policy is reading it as Azure front door host name and allowing the request. The hostName claim shows up as front door hostName in appplication insights logs.
On Mon, Aug 8, 2022 at 6:21 PM Jas Suri @.***> wrote:
Did you set this to your tenant name?
https://github.com/azure-ad-b2c/samples/blob/master/policies/check-host-name/policy/B2C_1A_TrustFrameworkExtensions_HostName.xml#L79
— Reply to this email directly, view it on GitHub https://github.com/azure-ad-b2c/samples/issues/451#issuecomment-1208717061, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2MGO26UCA6CZWZJWPUCYIDVYGI5XANCNFSM552UZWUQ . You are receiving this because you authored the thread.Message ID: @.***>
-- Sent from iPhone