Naveenommi-MSFT
commented
1 year ago @momdin Thanks for your feedback! We will investigate and update as appropriate.
Closed momdim closed 1 year ago
Naveenommi-MSFT
commented
1 year ago @momdin Thanks for your feedback! We will investigate and update as appropriate.
jmp601
commented
1 year ago I am very much interested in having support for PKCE for external Identity providers as well.
kengaderdus
commented
1 year ago We apologize for the delay in our response. Azure AD B2C does not support PKCE for external IDPs, and there're no plans to do so #please-close.
Hi,
We have tried to integrate an OIDC-compliant external identity provider with our Azure B2C custom XML policy flows, but after some testing we realized that Azure B2C OpenID Connect technical profile lacks support for PKCE when using authorization code grant with confidential clients. The OIDC identity provider that we want to use for federation in Azure B2C is OAuth 2.1 compliant, and the use of PKCE is mandatory for both public and confidential clients.
I have found some earlier posts from users who were wondering about support for PKCE in Azure B2C:
However, I haven't managed to find any clear information about if this is going to be supported or when. As far as I understand, the usage of PKCE can still protect from some types of attacks when it comes to confidential clients - one such scenario could be found on this URL
Are there any plans to support PKCE for external identity providers in Azure B2C? Or any timelines for this?
Also, with more and more IDPs defaulting to OAuth 2.1, I really think that the lack of support for PKCE should be explicitly documented in the official documentation until this is resolved.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.