How to remove the "hint" query parameter during AAD B2C password reset flow?

Batman 5 Reputation points
2024-09-24T17:10:43.5333333+00:00

We have set up the password reset exchange as instructed in the docs and are trying to remove the hint query parameter that gets added to the URL when clicking the forgot password link. We do not want it as it is an info leak. Someone else asked a similar question, but they wanted the opposite of what we want and discovered the query param already exists. How do we remove it?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,683 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,268 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,307 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Neuvi Jiang 1,460 Reputation points Microsoft Vendor
    2024-09-25T08:00:03.6566667+00:00

    Hi Batman,

    Thank you for posting in the Q&A Forums.

    1. Understanding the role of the hint parameter

    The hint parameter is designed by Azure AD B2C for user experience purposes and allows the user's identifier (e.g., username or email) to be pre-populated via a URL before the user begins the password reset process. However, this can also pose a security risk as it may reveal the user's personal information.

    1. Customizing the password reset policy

    To remove the hint parameter, you need to customize the password reset policy for Azure AD B2C. This usually involves modifying or creating custom User Journeys and Technical Profiles. However, removing the hint parameter from the URL directly through the Azure AD B2C configuration interface or policy file may not be directly supported.

    1. Modifying the password reset link

    A more practical approach is to control the process of generating password reset links. Make sure that you do not include the hint parameter when generating these links. This is usually done on the back end of your application or web service, where you can adjust the logic to exclude this parameter.

    1. Use security best practices

    Minimize information leakage: Ensure that the principle of least privilege is followed in any part of your application and that only necessary user information is requested and transmitted.

    Use HTTPS: Ensure that all communication with Azure AD B2C is done over HTTPS to protect the confidentiality and integrity of data.

    User education: Educate users not to share password reset links or any URLs containing personal information with untrusted third parties.

    Best regards

    NeuviJ

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


  2. James Hamil 25,866 Reputation points Microsoft Employee
    2024-10-03T18:31:51.69+00:00

    Hi @Batman (haha) , the id_token_hint query parameter is added to the password reset URL to help prevent phishing attacks. It's used to pass the user's identity to the password reset policy so that the policy can verify that the user is who they claim to be. If you don't want it though, you should be able to remove it with a custom policy. Please try the following for me and let me know if it works:

    1. Create a copy of the built-in PasswordReset policy.
    2. In the TrustFrameworkExtensions.xml file of the copied policy, remove the OutputClaim element that outputs the id_token_hint claim: <OutputClaim ClaimTypeReferenceId="id_token_hint" PartnerClaimType="id_token_hint" />

    If this doesn't work, I can investigate further. Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.