question

FrancisC2-7884 avatar image
0 Votes"
FrancisC2-7884 asked ·

AD B2C Custom Identity providers: how to configure code_challenge?

Hi,

I am trying to configure a private OpenID Connect Identity provider and Azure B2C does not send code_challenge, code_challenge_method and code_verifier parameters which are required in our implementation.

Is this supported?

This doc does not mention code_challenge anywhere. [Set up sign-up and sign-in with OpenID Connect using Azure Active Directory B2C][1] [1]: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-idp

Thanks.

azure-active-directoryazure-ad-b2c
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FrankHuMSFT-4825 avatar image
0 Votes"
FrankHuMSFT-4825 answered ·

Hey @francisc2-7884

the Code_Challenge flow is in fact supported, see the announcement on this here : https://azure.microsoft.com/en-au/blog/azure-ad-b2c-google-signin-issue/

Note that this isn't supported for any implicit flows though : https://developer.microsoft.com/en-us/identity/blogs/our-thoughts-on-implicit-grant-with-microsoft-identity/

Unfortunately our documentation is still getting up to date for some items such as this.

We will take this into account and look into updating the docs as soon as possible. Thanks for letting us know about this,

Thanks,
- Frank Hu

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FrancisC2-7884 avatar image
0 Votes"
FrancisC2-7884 answered ·

Hi,

Your link to https://azure.microsoft.com/en-au/blog/azure-ad-b2c-google-signin-issue/ does not refer to Code_Challenge flow, and I do not see any options on the Azure UI.

My provider has this flow:

STEP 1 - AUTHORIZE:
REQUEST:
GET: https://domain/tp/v1/oauth/authorize?
scope=SCOPE&
response_type=code&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://YOUR_APP/callback&
code_challenge=CODE_CHALLENGE&
code_challenge_method=S256

RESPONSE - It is up to Mobile Device App (client) to choose to follow a redirect or to just extract the code:
HTTP/1.1 302 Found
Location: https://YOUR_APP/callback?code=AUTHORIZATION_CODE

STEP 2 - GET ACCESS TOKEN AND REFRESH TOKEN:
REQUEST:
POST https://domain/tp/v1/oauth/token
Content-Type: application/json
{
"grant_type": "authorization_code",
"client_id": "YOUR_CLIENT_ID",
"code_verifier": "CODE_VERIFIER",
"code": "AUTHORIZATION CODE FROM STEP 1",
"redirect_uri": "com.myclientapp://myclientapp.com/callback";
}


RESPONSE:
HTTP/1.1 200 OK
Content-Type: application/json
{
"refresh_token_expires_in": 28800,
"refresh_token": "wTX0BWbAIZXDi6m5yl7qjd506JjE5XVmO1Ar8uv0oCdkOg2b91",
"access_token_expires_in": 3600,
"access_token": "eyJhbGciOiJIUzI1NiJ9...37M",
"token_type": "Bearer"
}


However, the only settings I see on Azure B2C are:

alt text




Where and how do I configure the provider?




1.jpg (71.4 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.