services / Azure / API Management OpenID Connect providers

OpenID Connect identity provider registrations used by API Management to authenticate API consumers and the developer portal. They define the auth trust (issuer, client ID) and hold a client secret.

Authentication/authorization configuration that gates API access; the associated client secret is a credential.


Microsoft.​ApiManagement/​service/​openidConnectProviders/​listSecrets/​action

Returns the OIDC provider client secret, exporting credential material that can be reused to impersonate the API Management relying party against the configured identity provider and move laterally into that trust relationship.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog