Security: Harden B2C resource server token validation defaults#49252
Merged
rujche merged 3 commits intoMay 25, 2026
Merged
Conversation
rujche
requested review from
a team,
Netyyyy,
moarychan and
saragluna
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens Azure AD B2C resource-server JWT validation defaults in spring-cloud-azure-autoconfigure, aligning B2C validation behavior with the earlier AAD security hardening (e.g., explicit tenant binding, stricter aud validation, and issuer trust scoping).
Changes:
- Enforced B2C tenant-id validation (rejecting
common/organizations/consumersand empty values) and normalized tenant-id for comparisons. - Added a
tidclaim validator and replaced permissiveaudvalidation (containsAll) with a strict “any configured audience matches” predicate. - Prevented B2C trusted issuer repositories from inheriting default AAD issuer entries, and added/updated tests for the new behavior.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aadb2c/configuration/AadB2cResourceServerAutoConfiguration.java | Adds tenant-id validation/normalization, tid claim validation, and hardens aud claim validation for B2C JWT decoding. |
| sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/jwt/AadTrustedIssuerRepository.java | Introduces an overload/constructor path to optionally skip default AAD issuer seeding (enabling B2C to avoid inheriting AAD issuers). |
| sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aadb2c/security/jwt/AadB2cTrustedIssuerRepository.java | Uses the new issuer-repo constructor to exclude default AAD issuers and normalizes tenant-id passed to the base repository. |
| sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aadb2c/configuration/AadB2cResourceServerAutoConfigurationTests.java | Adds assertions that B2C trusted issuers don’t include AAD issuers and verifies startup failure for invalid/empty tenant-id values. |
rujche
added
the
azure-spring-aad-b2c
rujche
added
the
bug
…n and normalization
Member
Author
|
/azp run java - spring - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Netyyyy
approved these changes
May 25, 2026
rujche
deleted the
rujche/main/fix-problems-in-AadB2cResourceServerAutoConfiguration
branch
github-project-automation
Bot
moved this from In Progress
to Done
in Spring Cloud Azure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Summary
This PR fixes security gaps in B2C resource-server JWT validation by mirroring the hardening introduced for AAD in #49033.
The previous B2C default configuration could accept tokens from unintended issuers because:
commonwere not rejected,tidclaim validation was missing,containsAllpredicate that allowed unsafe cases,What changed
1. Enforced tenant-id validation in B2C resource server
Updated
AadB2cResourceServerAutoConfigurationto reject null/empty/reserved tenant IDs (common,organizations,consumers) and normalize tenant ID for comparison.2. Added
tidclaim validatorAdded
JwtClaimValidator<String>(AadJwtClaimNames.TID, tenantId::equals)to bind tokens to the configured tenant.3. Hardened
audclaim predicateReplaced
validAudiences::containsAllwith a strict predicate requiring:4. Removed unintended AAD issuer inheritance from B2C trusted issuer repository
Refactored
AadTrustedIssuerRepositorywith an overload that can skip default AAD issuer seeding.AadB2cTrustedIssuerRepositorynow calls the new constructor withincludeAadIssuers=false, so B2C trusts only B2C issuers it explicitly adds.Tests
Added/updated tests in
AadB2cResourceServerAutoConfigurationTeststo verify:Executed tests:
mvn -pl spring-cloud-azure-autoconfigure -Dtest=AadB2cResourceServerAutoConfigurationTests testmvn -pl spring-cloud-azure-autoconfigure testResult:
BUILD SUCCESSTests run: 1090, Failures: 0, Errors: 0, Skipped: 7Impact
This change prevents cross-issuer acceptance paths in the B2C resource-server default configuration and aligns B2C token validation posture with recent AAD hardening.
All SDK Contribution checklist:
General Guidelines and Best Practices
Testing Guidelines