2,446 questions
Other user's data leakages and getting returned in output claims when token is requested from code
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 74%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDN%3C/text%3E%3C/svg%3E)
Daivagna Nanavati
0
Reputation points
Hi Team,
We have an issue which is very intermittent, and we are not able to reproduce but here is what is happening
- Our custom policy had the user session time set to 24 hours initially and there was rolling session
- We wanted to have an infinite session so that user does not need to go through the painful process of entering OTP in custom policy flow and login again
- So, we implemented a code that on every page refresh we are making a call to our custom API to validate token and checking JWT is expired or not, and if it is expired, we are making a call to oauth2/v2.0/authorize end point with all needed param of nonce, scope, response_type=code and other things to get a new token and azure is returning us the token but we have nonce as a static value as "defaultValue" and we think this should be something dynamic, this could also be causing issue
- We also have set ROLLING SESSION in policy now and extended the refresh token to 90 days and id token is 7 days expiry
What issue we are facing is, suddenly and intermittently azure return token of other user and whole user is replaced with other user's claim and data which is a nightmarish situation
We feel may be this is happening when someone's session is expired and if they are refreshing their page and at that time it gives another user's data, but we are unable to reproduce it on our end, it happens with some of the users and
From our research it seems first of all /authorize should not be called multiple time with same nonce else it might give other user's data and other thing is we should pass nonce with some random number
We wanted to know from above context do you feel something is going wrong? and why that is happening
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju 10,760 Reputation points Microsoft Vendor2024-12-19T19:49:27.68+00:00 Hello @Daivagna Nanavati,
Thank you for posting your query on Microsoft Q&A.
Based on your description, it appears that your application is using the OAuth 2.0 authorization code flow in Azure Active Directory B2C to generate a token, as indicated by the presence of
response_type=codein your request.The
noncevalue should always be a random value. Instead of using a default value, you can use any random value for thenoncein the request.If Azure returns a token containing another user's claims and those claims replace the intended user's claims, please verify the following in your application request:
- Check for which user the code was generated.
- Check to which user the code was redeemed to obtain a token.
This analysis will provide insights into what might have occurred during the flow and help you understand why another user's claims appeared in the token.
If possible, try using a
noncewith random numbers instead of a default value and observe if the issue persists. Since this issue occurs intermittently, there may be limited opportunities to gather the necessary information. However, implementing these changes and monitoring the behavior could provide further clarity.Thanks,
Raja Pothuraju. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 65%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Ajay Gour 0 Reputation points2024-12-20T13:08:55.5333333+00:00 Hi Raja Pothuraju,
Can you provide more context on the issue with the nonce? It is working for 99% of users, but for 1% it is failing. How can we verify the following points?
- Check which user the code was generated for.
- Check which user redeemed the code to obtain a token.
Since the URL is the same for all users when a user session expires, the system hits the same URL for everyone.
There have been reported cases where user adds their phone number and OTP but ends up seeing the session details of another user.
Thanks,
Ajay Gour -
Raja Pothuraju 10,760 Reputation points Microsoft Vendor
2024-12-26T02:38:13.8166667+00:00 Hello @Ajay Gour,
Thank you for your response.
To verify the two points, we need to capture network trace logs when the issue occurs on the user's end. These logs will provide details about who the code is being generated for and which user is using the code to redeem and obtain a token. However, as you mentioned, the issue occurs only rarely, making it challenging to gather this information.
Given the complexity, I recommend reaching out to the support team by raising a support ticket for further assistance. If you do not have a support plan, please let me know here.
Thanks,
Raja Pothuraju.
Sign in to comment
Sign in to answer