Azure AD B2C logouts and redirection URLs

Background I’ve been helping a client build a customer-facing NodeJS web application which leveraged Azure AD B2C as its identity provider. Things were going well with the development and Azure AD B2C served them really well. It’s cost-effective and gives them all the controls and security features they’ve come to expect with Azure AD (the non-B2C version). As any responsible company, they run penetration tests on the application prior to releasing to production and they identified one item that can pose as a security threat. Continue reading

Validating Azure AD B2C Tokens

I recently ran into an issue where I needed to help a customer validate an Azure AD B2C JWT access token. We tend to take JWT tokens for granted and sometimes forget that they should be validated by the application. I thought this was going to be pretty straight-forward to solve since Azure AD B2C is effectively Azure AD under the hood. I was wrong. I initially thought browsing to the OIDC metadata endpoint would reveal the info I needed to validate the signature of the JWT but finding the endpoint was my first challenge. Continue reading