Azure AD B2C - Multiple Identity Experience Framework custom policies can be used interchangibly

Question

For multiple applications. we are using AAD B2C for our authentication system. We have opted for custom policies. One of the reasons for this is that we want to allow different user groups to access different applications, in the following way:

• superusers can access all Applications, including our CMS
• product admins can access the customer facing CMS and the end product
• product users can access the end product

For this, we have the policies:

• B2C_1A_xxx_cms
• B2C_1a_xxx_product
• B2C_1A_xxx_customercms

In all policies, we do an API call to an internal authentication API, which validates the user's group memberships throught MS Graph API. The problem is that these policies seem to be able to be used interchangibly:

https://{tenant}.b2clogin.com/{tenant}/b2c_1a_xxx_cms/oauth2/v2.0/authorize?response_type=id_token&scope={scope}%20openid%20profile&client_id={client_id}&redirect_uri={redirect_uri}&nonce={nonce}&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.4.4&client-request-id={client-request-id}&response_mode=fragment

In the above url, users can access the CMS by replacing b2c_1a_xxx_cms with b2c_1a_xxx_product, thus bypassing the group-based validation in place for the specific application.

The original implementation of our policies are based on this tutorial: https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started

How can we configure these policies in such a way that changing the URL and trying to log in is impossible?

question from:https://stackoverflow.com/questions/65934262/azure-ad-b2c-multiple-identity-experience-framework-custom-policies-can-be-use

Answer 1

Based on your requirement, I think you need a the application assignment to users feature.

But it is only available in Azure AD rather than Azure B2C.

So I suggest that you use custom attribute to control the access of the user for different applications.