AD B2C Custom Identity providers: how to configure code_challenge?

Francis C2 21 Reputation points
2019-12-16T17:19:42.313+00:00

Hi,

I am trying to configure a private OpenID Connect Identity provider and Azure B2C does not send code_challenge, code_challenge_method and code_verifier parameters which are required in our implementation.

Is this supported?

This doc does not mention code_challenge anywhere. [Set up sign-up and sign-in with OpenID Connect using Azure Active Directory B2C][1] [1]: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-idp

Thanks.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,640 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Frank Hu MSFT 81 Reputation points
    2019-12-17T00:44:05.633+00:00

    Hey @Francis C2

    the Code_Challenge flow is in fact supported, see the announcement on this here : https://azure.microsoft.com/en-au/blog/azure-ad-b2c-google-signin-issue/

    Note that this isn't supported for any implicit flows though : https://developer.microsoft.com/en-us/identity/blogs/our-thoughts-on-implicit-grant-with-microsoft-identity/

    Unfortunately our documentation is still getting up to date for some items such as this.

    We will take this into account and look into updating the docs as soon as possible. Thanks for letting us know about this,

    Thanks,

    • Frank Hu
    0 comments
  2. Francis C2 21 Reputation points
    2019-12-23T19:06:37.06+00:00

    Hi,

    Your link to https://azure.microsoft.com/en-au/blog/azure-ad-b2c-google-signin-issue/ does not refer to Code_Challenge flow, and I do not see any options on the Azure UI.

    My provider has this flow:

    STEP 1 - AUTHORIZE:
    REQUEST:
    GET: https://domain/tp/v1/oauth/authorize?
    scope=SCOPE&
    response_type=code&
    client_id=YOUR_CLIENT_ID&
    redirect_uri=https://YOUR_APP/callback&
    code_challenge=CODE_CHALLENGE&
    code_challenge_method=S256

    RESPONSE - It is up to Mobile Device App (client) to choose to follow a redirect or to just extract the code:
    HTTP/1.1 302 Found
    Location: https://YOUR_APP/callback?code=AUTHORIZATION_CODE

    STEP 2 - GET ACCESS TOKEN AND REFRESH TOKEN:
    REQUEST:
    POST https://domain/tp/v1/oauth/token
    Content-Type: application/json
    {
    "grant_type": "authorization_code",
    "client_id": "YOUR_CLIENT_ID",
    "code_verifier": "CODE_VERIFIER",
    "code": "AUTHORIZATION CODE FROM STEP 1",
    "redirect_uri": "com.myclientapp://myclientapp.com/callback"
    }

    RESPONSE:
    HTTP/1.1 200 OK
    Content-Type: application/json
    {
    "refresh_token_expires_in": 28800,
    "refresh_token": "wTX0BWbAIZXDi6m5yl7qjd506JjE5XVmO1Ar8uv0oCdkOg2b91",
    "access_token_expires_in": 3600,
    "access_token": "eyJhbGciOiJIUzI1NiJ9...37M",
    "token_type": "Bearer"
    }

    However, the only settings I see on Azure B2C are:

    alt text

    Where and how do I configure the provider?

    0 comments
  3. Chintan Bhatt 1 Reputation point
    2021-03-03T05:52:06.993+00:00

    Hi Francis, Did you ever got solution for this ?

    0 comments