Azure AD B2C vulnerable to Open Redirect?

Question

I am using OWIN & OpenId to authenticate users for my web application using Azure AD B2C, the Startup.Auth.cs has code like so :

app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                 MetadataAddress = string.Format(AadInstance, Tenant, policy),
                AuthenticationType = policy,
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                RedirectUri = postLogoutRedirectUri,
                Notifications = new OpenIdConnectAuthenticationNotifica....

On signout, it causes a redirect to the postLogoutRedirectUrl like so

https://login.microsoftonline.com/MY_TENANT/oauth2/logout?p=my_policy&post_logout_redirect_uri=https%3A%2F%2Fgoogle.com%2F

The post logout redirect URI is present in the redirect Uri in the portal.

If I stop the browser and change the post logout uri in the address bar to https%3A%2F%2Fevil.com%2F, the redirect happens properly even though this url https://evil.com/ is not in the allowed redirect uri.

Why is AD B2C not stopping the redirect ? is this not open to vulnerability ?

I fail to see the vulnerability. The whole session is running over HTTPS. If the URL is modified in flight, then either your app is compromised, or the users client is compromised. In either of these cases redirecting after logout would be the least of my concerns. — Jamie

Parakh Parakh · Accepted Answer · 2018-01-19T15:12:36

When you sign in using Azure AD B2C, the B2C service sends a token to the "redirect_uri" (the app). Since a token needs to remain secure, the B2C service asks you to whitelist the URL's where it should send the token to.

When you are signing out, nothing secure is being transmitted from the B2C service back to the app. Therefore, even if a user is redirected to a malicious site, nothing secure is lost.

Azure AD B2C vulnerable to Open Redirect?

2 Answers