Login/Register
Why does Azure B2C require client_secret when using authorization code flow with PKCE
Asked Answered
oauth-2.0single-page-applicationopenid-connectazure-ad-b2cpkce
F

1

6

Our team is building an Angular app that is gonna use B2C for authentication/authorization purposes and in this app we would like to build the OpenID integration using the authorization code flow with PKCE.

Azure B2C seems to support PKCE however for some reason it also requires that we send the client_secret when requesting the access token. Is this correct? Shouldn't PKCE eliminate the need of a static client secret when dealing with the authorization code flow?

Formenti answered 31/3, 2020 at 11:59 Comment(3)
Hi @TonyJu, thanks for taking the time, but your answer does not cover my question. I would like to know why the client secret is needed when using PKCE, and not how to use the client code authorization flow.Formenti
great question! wondering the same as I thought one of the key points of PKCE was that the secret then didn't need to be static set in SPA which it shouldn't. I see Auth0 do not require this and they have a good explanation on using PKCE flow with SPA.Monteux
@Monteux I've found this answer (https://mcmap.net/q/571409/-azure-ad-b2c-clients-must-send-a-client_secret-when-redeeming-a-confidential-grant) that helped me sort it out. Basically MSFT is still working on things and you have to manually edit the user flow manifest to let them know that your app is an SPA with PKCE enabled.Formenti
H
1

Client secret is required for web apps, if your app is native, client secret is not needed.

enter image description here

Reference:

https://medium.com/the-new-control-plane/using-proof-key-for-code-exchange-pkce-in-azure-ad-b2c-9203fbc148fd

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Heisler answered 1/4, 2020 at 2:13 Comment(1)
The app is Angular so not "Native" or what Microsoft currently call a "web app" as it doesn't really have a secure back end to secure the client secret.Goose

© 2022 - 2024 — McMap. All rights reserved.