Open in app

Sign in

Write

Sign in

Using Proof Key for Code Exchange (PKCE) in Azure AD

Rory Braybrook
The new control plane
Published in
2 min readAug 19, 2019

First read my previous post on “Using Proof Key for Code Exchange (PKCE) in ADFS for Windows Server 2019”.

This gives an overview of PKCE and the required C# code to generate the “code_verifier” and the “code_challenge”.

Azure AD is pretty similar.

We use the new “App registration” flow to create a single tenant web application

You can enter the “Redirect URI” under “Authentication”. I’m going to use Postman so the “Redirect URI” is really a dummy entry for redirection but in practice, this would be for your application.

Create a secret key under “Certificates and secrets”.

The GET to the /authorize endpoint from the browser is:

https://login.microsoftonline.com/my-tenant/oauth2/v2.0/authorize

?response_type=code

&client_id=3f24…5a80

&scope=openid

&redirect_uri=https://jwt.io

&prompt=login

&code_challenge=_r67lcj4MoDNBAkhxS7ke_YKhKCBAiM0SgzNCagbCxo

&code_challenge_method=S256

This brings up the Azure AD log in screen.

Authenticate and you”ll be redirected to:

https://jwt.io/?code=OAQAHGVFHJKKKKKLG4kwzSnx4

The POST command to the /token endpoint is:

where the “code” is as returned above.

This returns:

Success!

The “code_challenge_method=plain” also works but “S256” is preferred.

All good!

Azure Active Directory
Pkce
Openid Connect
Oauth2
Authentication

--

--

Rory Braybrook
The new control plane

Written by Rory Braybrook

720 Followers
Editor for

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams