Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
OpenID Connect Authorization Code Flow with Proof Key for Code Exchange (PKCE) not announced in metadata?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 95%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
HD
26
Reputation points
According to https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code, Azure AD supports OpenID Connect's Authorization Code Flow with Proof Key for Code Exchange (PKCE).
Unfortunately this is not reflected in the metadata at the discovery url https://login.microsoftonline com/{tenantid}/v2.0/.well-known/openid-configuration, i.e. the following block is missing (cf. RFC 8414), thus OIDC clients relying on the metadata assume that PKCE is not supported.
"code_challenge_methods_supported": [
"S256"
],
Google, for instance, announces PKCE support just fine: https://accounts.google.com/.well-known/openid-configuration. Can I adjust my tenant to do it likewise or can only Microsoft change it? If the latter: Is it on Microsoft's roadmap?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 34,306 Reputation points Microsoft Employee2021-01-05T00:21:09.617+00:00 Azure AD supports PKCE on both the v1.0 and v2.0 endpoints.
v2.0 documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
v1.0 documentation: https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code
It should be:
"code_challenge_methods_supported": [ "plain", "S256" ]
There may be issues using code flow if you are using B2C and PKCE with a browser app, however. https://github.com/manfredsteyer/angular-oauth2-oidc/issues/653
Also, you may need to change your redirect URI type to enable CORS. You can do this by going to the manifest editor for your app registration in the portal, finding the replyUrlsWithType section and changing the type of your redirect URI to SPA.
May I ask which guide you are following?
-
HD 26 Reputation points
2021-01-05T11:53:59.883+00:00 "code_challenge_methods_supported": [ "plain", "S256" ] or "code_challenge_methods_supported": [ "S256" ], both would do but there seems no way to add it to the metadata document. Is there a way to configure it?
We want to use PKCE with custom apps as well as off-the-shelf apps. Some apps can be coded or forced to use PKCE but some rely on the metadata. Apps like kubelogin can't find "code_challenge_methods_supported" at our https://login.microsoftonline com/{tenantid}/v2.0/.well-known/openid-configuration so they fall back on Authorization Code Flow with client secret. We would like to get rid of client secrets.
Google, Okta, Auth0, they all announce "code_challenge_methods_supported" and work for us.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 85%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKZ%3C/text%3E%3C/svg%3E)
Kamil Zdanikowski 36 Reputation points2022-04-05T14:45:59.69+00:00 Do you have any update on this?
Neither Azure AD nor Azure AD B2C announce PKCE "code_challenge_methods_supported".According to linked RFC in the original question - https://datatracker.ietf.org/doc/html/rfc8414 - when "code_challenge_methods_supported" is omitted, the authorization server does not support PKCE. However this is not the case for Azure AD/Azure AD B2C. They do not annouce "code_challenge_methods_supported" but support PKCE.
As @HD already pointed out, if there are any libraries which are deciding wheter to use PKCE or not relying on code_challenge_methods_supported, they might end up not using PKCE with Azure AD/Azure AD B2C.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 78%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEE%3C/text%3E%3C/svg%3E)
Egor Emeliyanov 36 Reputation points2022-11-29T20:10:43.723+00:00 It's been 6 months, and I'd like to +1 the question. AzureAD supports PKCE, but still fails to properly announce this fact in its openid-configuration document, therefore some client libraries fail when using AzureAD as IdP. Is there a reason why it is designed this way?
Sign in to comment