Using Proof Key for Code Exchange (PKCE) in Azure AD
First read my previous post on “Using Proof Key for Code Exchange (PKCE) in ADFS for Windows Server 2019”.
This gives an overview of PKCE and the required C# code to generate the “code_verifier” and the “code_challenge”.
Azure AD is pretty similar.
We use the new “App registration” flow to create a single tenant web application
You can enter the “Redirect URI” under “Authentication”. I’m going to use Postman so the “Redirect URI” is really a dummy entry for redirection but in practice, this would be for your application.
Create a secret key under “Certificates and secrets”.
The GET to the /authorize endpoint from the browser is:
https://login.microsoftonline.com/my-tenant/oauth2/v2.0/authorize
&code_challenge=_r67lcj4MoDNBAkhxS7ke_YKhKCBAiM0SgzNCagbCxo
This brings up the Azure AD log in screen.
Authenticate and you”ll be redirected to:
https://jwt.io/?code=OAQAHGVFHJKKKKKLG4kwzSnx4…
The POST command to the /token endpoint is:
where the “code” is as returned above.
This returns:
Success!
The “code_challenge_method=plain” also works but “S256” is preferred.
All good!