You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I plan on using Easy Auth with a ASP.NET Core web application hosted on Azure App Service with the Linux flavor.
From my understanding Easy Auth adds a couple of endpoints to the app service:
/.auth/login/<provider>/callback
/.auth/logout
/.auth/me
Usually when I use OpenID Connect and OAuth 2.0 I always opt for the authorization code flow to avoid users having direct access to their tokens (id_token/access_token/refresh_token) as the backend is capable of handling this through cookies in the browser and tokens stored elsewhere away from the user.
I have enabled Easy Auth with the token stored for my application and it works as expected. My question is mainly concerned with the /.auth/me endpoint. This endpoint exposes all the tokens, along with the claims of the user. If I enable scopes for offline_access then refresh_token is also exposed here. From a security perspective this seems horrible as a simple XSS attack could read the tokens and ship them off to an attackers server.
Can I disable this endpoint in Easy Auth to avoid the security issue while still maintaining access to having a token store?
Is MSAL (or rather Microsoft.Identity.Web) dependant on this endpoint to be able to read out the access_token from the token store of Easy Auth before calling downstream services?
The text was updated successfully, but these errors were encountered:
I plan on using Easy Auth with a ASP.NET Core web application hosted on Azure App Service with the Linux flavor.
From my understanding Easy Auth adds a couple of endpoints to the app service:
/.auth/login/<provider>/callback/.auth/logout/.auth/meUsually when I use OpenID Connect and OAuth 2.0 I always opt for the authorization code flow to avoid users having direct access to their tokens (
id_token/access_token/refresh_token) as the backend is capable of handling this through cookies in the browser and tokens stored elsewhere away from the user.I have enabled Easy Auth with the token stored for my application and it works as expected. My question is mainly concerned with the
/.auth/meendpoint. This endpoint exposes all the tokens, along with the claims of the user. If I enable scopes for offline_access then refresh_token is also exposed here. From a security perspective this seems horrible as a simple XSS attack could read the tokens and ship them off to an attackers server.My questions are:
access_tokenfrom the token store of Easy Auth before calling downstream services?The text was updated successfully, but these errors were encountered: