Using Proof Key for Code Exchange (PKCE) in Azure AD B2C
First read my previous post on “Using Proof Key for Code Exchange (PKCE) in ADFS for Windows Server 2019”.
This gives an overview of PKCE and the required C# code to generate the “code_verifier” and the “code_challenge”.
Azure AD B2C is pretty similar.
We create a web application:
You can enter the “Redirect URI” under “Reply URL”. I’m going to use Postman so the “Redirect URI” is really a dummy entry for redirection but in practice, this would be for your application.
Create a secret key under “Keys”.
The GET to the /authorize endpoint from the browser is:
https://my-tenant.b2clogin.com/my-tenant.onmicrosoft.com/oauth2/v2.0/authorize
&code_challenge=_r67lcj4MoDNBAkhxS7ke_YKhKCBAiM0SgzNCagbCxo
Note that you need the policy attribute “p=” where the policy is one of the ones you created in B2C.
This brings up the Azure AD B2C log in screen.
Authenticate and you”ll be redirected to:
https://jwt.io/?code=eyJraWQiOiJjcGlt…
The POST command to the /token endpoint is:
where the “code” is as returned above.
Notice that the policy needs to be in the query string.
This returns:
Success!
The “code_challenge_method=plain” also works but “S256” is preferred.
All good!