You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since Umbraco is not a single-page application, the implicit flow is not safe. For traditional MVC applications, it is recommended to use the authorization code flow, which requires the client to authenticate with the authorization server using a client secret. This flow provides better security, as it involves exchanging an authorization code for an access token and/or ID token, rather than directly returning tokens in the URL fragment.
Patches
_Has the problem been patched?
Yes
References
Are there any links users can visit to find out more?
Impact
What kind of vulnerability is it? Who is impacted?
Neither the https://github.com/umbraco/UmbracoIdentityExtensions/blob/master/build/ActiveDirectory.Readme.txt or https://shazwazza.com/post/configuring-azure-active-directory-login-with-umbraco-members/ requires the developer to enter the Client secret, as it's optional in this repository.
Since Umbraco is not a single-page application, the implicit flow is not safe. For traditional MVC applications, it is recommended to use the authorization code flow, which requires the client to authenticate with the authorization server using a client secret. This flow provides better security, as it involves exchanging an authorization code for an access token and/or ID token, rather than directly returning tokens in the URL fragment.
Patches
_Has the problem been patched?
Yes
References
Are there any links users can visit to find out more?
PR resolving this issue
https://docs.umbraco.com/umbraco-cms/reference/security/external-login-providers