OpenID Connect Authorization Code Flow with Proof Key for Code Exchange (PKCE) not announced in metadata?
According to https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code, Azure AD supports OpenID Connect's Authorization Code Flow with Proof Key for Code Exchange (PKCE).
Unfortunately this is not reflected in the metadata at the discovery url https://login.microsoftonline com/{tenantid}/v2.0/.well-known/openid-configuration, i.e. the following block is missing (cf. RFC 8414), thus OIDC clients relying on the metadata assume that PKCE is not supported.
"code_challenge_methods_supported": [
"S256"
],
Google, for instance, announces PKCE support just fine: https://accounts.google.com/.well-known/openid-configuration. Can I adjust my tenant to do it likewise or can only Microsoft change it? If the latter: Is it on Microsoft's roadmap?