5

Our team is building an Angular app that is gonna use B2C for authentication/authorization purposes and in this app we would like to build the OpenID integration using the authorization code flow with PKCE.

Azure B2C seems to support PKCE however for some reason it also requires that we send the client_secret when requesting the access token. Is this correct? Shouldn't PKCE eliminate the need of a static client secret when dealing with the authorization code flow?

Jean Pacher
  • 327
  • 4
  • 11
  • Hi @TonyJu, thanks for taking the time, but your answer does not cover my question. I would like to know why the client secret is needed when using PKCE, and not how to use the client code authorization flow. – Jean Pacher Apr 08 '20 at 11:43
  • 1
    great question! wondering the same as I thought one of the key points of PKCE was that the secret then didn't need to be static set in SPA which it shouldn't. I see Auth0 do not require this and they have a good explanation on using PKCE flow with SPA. – gudbrand3 Apr 20 '20 at 05:53
  • @gudbrand3 I've found this answer (https://stackoverflow.com/a/61272502/2363464) that helped me sort it out. Basically MSFT is still working on things and you have to manually edit the user flow manifest to let them know that your app is an SPA with PKCE enabled. – Jean Pacher Dec 02 '20 at 17:23

1 Answers1

1

Client secret is required for web apps, if your app is native, client secret is not needed.

enter image description here

Reference:

https://medium.com/the-new-control-plane/using-proof-key-for-code-exchange-pkce-in-azure-ad-b2c-9203fbc148fd

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
  • The app is Angular so not "Native" or what Microsoft currently call a "web app" as it doesn't really have a secure back end to secure the client secret. – GazB Apr 08 '20 at 16:53