@venkatfbi Thanks for your feedback! We will investigate and update as appropriate.

@venkatfbi Please refer to https://tools.ietf.org/html/rfc8252#section-8.2 which says below -

The OAuth 2.0 implicit grant authorization flow (defined in
Section 4.2 of OAuth 2.0 [RFC6749]) generally works with the practice
of performing the authorization request in the browser and receiving
the authorization response via URI-based inter-app communication.
However, as the implicit flow cannot be protected by PKCE [RFC7636]
(which is required in Section 8.1), the use of the Implicit Flow with
native apps is NOT RECOMMENDED.

Access tokens granted via the implicit flow also cannot be refreshed
without user interaction, making the authorization code grant flow --
which can issue refresh tokens -- the more practical option for
native app authorizations that require refreshing of access tokens.

I hope this helps answer your query.

@MohitGargMSFT, Thanks for the reply.
In that case, can you please confirm whether Azure AD B2C authorize endpoint support the code_challenge_method, code_challenge, code_verifier, etc that are required for PKCE [RFC7636]? The above documentation does not talk about these. Would be helpful if these are updated if supported.

@venkatfbi Yes, they are supported. I will assign it to content author to update the document with these supported optional parameters.

Per engineering input, changed the paragraph to refer to refresh tokens:

The OAuth 2.0 authorization code flow is described in section 4.1 of the OAuth 2.0 specification. You can use it for authentication and authorization in most application types, including web applications and natively installed applications. You can use the OAuth 2.0 authorization code flow to securely acquire access tokens and refresh tokens for your applications, which can be used to access resources that are secured by an authorization server. The refresh token allows the client to acquire new access (and refresh) tokens once the access token expires, typically after one hour.

please-close

@venkatfbi We will now close this issue. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.

When using PKCE I always get the reply "Clients must send a client_secret when redeeming a confidential grant". But isn't the point of using PKCE that some client apps can't keep a secret a secret? When registering an Azure B2C app as cebapp or natvie client, I always get the same error? What am I doing wrong?

@jtourlamain I would like to ask the same question. Trying to integrate authorization code flow with PKCE to my angular app with a B2C authorization server. The server asks for the static client_secret even when I'm using PKCE, why is that?