Azure AD B2C OpenID Connect provider with code flow - Auth Request from B2C does not pass code challenge and code_challange_method in request

Question

We have configured OpenID Connect provider in Azure B2C that supports 'Authorization Code Flow with PKCE' (does not support implicit flow)

Its a single page angular app, when user select the user store during login the auth request throws an error : "invalid_request, Error Description: Missing parameter: code_challenge_method

it does not pass code_challenge & code_challenge_method in request - Am I missing anything?

Also, OpenId connect provider is configured in custom policy as below,

 `<ClaimsProvider>
  <DisplayName>User Login</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="OIDC-User">
      <DisplayName>User Login</DisplayName>
      <Description>Login with your user account</Description>
      <Protocol Name="OpenIdConnect" />
      <Metadata>
        <Item Key="METADATA">https://idp/.well-known/openid-configuration</Item>
        <Item Key="client_id">clientid</Item>
        <Item Key="response_types">code</Item>
        <Item Key="scope">openid email</Item>
        <Item Key="response_mode">form_post</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_AppSecret" />
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid" />
        <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <!-- <OutputClaimsTransformation ReferenceId="UserIdentityClaims"/>  -->
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>`

If I just use IDP without going though B2C it works just fine!

Answer 1

Ok, so B2C does not support PKCE for external IDP’s. The reason being B2C would be consider a “confidential client” in respect to OAuth/OIDC.

Authorization code flow with client secret works fine!