Background I’ve been helping a client build a customer-facing NodeJS web application which leveraged Azure AD B2C as its identity provider. Things were going well with the development and Azure AD B2C served them really well. It’s cost-effective and gives them all the controls and security features they’ve come to expect with Azure AD (the non-B2C version). As any responsible company, they run penetration tests on the application prior to releasing to production and they identified one item that can pose as a security threat.
Continue reading
