I am using OWIN & OpenId to authenticate users for my web application using Azure AD B2C, the Startup.Auth.cs has code like so :
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
MetadataAddress = string.Format(AadInstance, Tenant, policy),
AuthenticationType = policy,
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifica....
On signout, it causes a redirect to the postLogoutRedirectUrl like so
The post logout redirect URI is present in the redirect Uri in the portal.
If I stop the browser and change the post logout uri in the address bar to https%3A%2F%2Fevil.com%2F, the redirect happens properly even though this url https://evil.com/ is not in the allowed redirect uri.
Why is AD B2C not stopping the redirect ? is this not open to vulnerability ?