Using the “Run User Flow” with SPA and PKCE with Azure AD B2C
PKCE (Proof Key for Code Exchange) is described here.
From the official OAuth 2.0 spec for PKCE:
This is particularly useful for SPA applications that may be using implicit flow.
Implicit flow is not recommended.
As regards B2C, we can see this when we create a SPA app registration.
When we run a SUSI user flow using this application, we see:
Note the PKCE configuration section.
The full text is:
“The authorization code flow with Proof Key for Code Exchange (PKCE) is recommended for single-page applications (SPAs). A code_challenge is generated below so that you can test the user flow experience. An authorization code, not tokens, will be delivered the specified reply URL of the application. You can optionally set your own values for code_verifier and code_challenge_method fields below to be values that your application expects during development so that the application can redeem the authorization code for a token. Learn more”.
On the wire we see:
GET p: B2C_1_SUSI_V2
The “code_challenge” attributes form part of the PKCE flow.
And then we see the code as specified above:
GET code: eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ...