Azure-docs: I'm getting an error code that doesn't appear in this list: AADB2C99059

@jakehockey10
Thanks for your post! We will investigate and update as appropriate.

This is the error I was getting (it seemed to go away for everyone after a few minutes):

@jakehockey10
Thanks for your screenshot!

If the error went away this might be a potential bug, since we do have another customer that received the same error message on our Q&A forum.

I'll escalate this to our engineering team to see if they can provide additional details.

Sounds like you use a single page application or a mobile app that use authorization code with PKCE. The PKCE flow is an extension to the regular OAuth2 Authorization Code flow. It's the same authorization flow but includes the PKCE elements in the authorization and token requests. A mobile or SPA app generates a cryptographically random key called a code verifier. Then from the code verifier generated, the app create a code challenge. The idea is that the first  request (authorization) contains the  code challenge, while the second request (token) contains the code verifier. So, the IDP can compare both codes and knowing the both request coming from the same client.  Even that a malicious user can intercept the authorization code, but this user doesn’t have access to the code challenge or verifier, since they both are sent over HTTPS, and can't redeem the authorization token to an access token.  Specially that the code challenge is sent on the second call and the authorization code already redeemed and can't be use anymore. In your case Azure AD B2C expects the app to send the code_challenge.

Could you please provide for information about the app? And if you can the authorisation request.

@jakehockey10
I just wanted to check in and see if you had a chance to review Yoel's post.

If you have any other questions, please let us know.
Thank you for your time and patience throughout this issue.

It appears the code_challenge parameter is required on the requests now? The documentation says it is optional: https://docs.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow.

Old request that worked fine until today:
https://########.b2clogin.com/##########.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_GCS_SignIn&client_id=######################&nonce=defaultNonce&redirect_uri=https://#########.b2clogin.com/oauth2/nativeclient&scope=https://########.onmicrosoft.com/dot/openid%20https://#########.onmicrosoft.com/dot/offline_access&response_type=code&prompt=login

to get it to work we have to add:
&code_challenge=##################&code_challenge_method=S256

This is an electron app that gets deployed to customers. Very frustrating that we have to suddenly create a new release and deploy it ASAP. Especially after the many Microsoft outages lately.

Hi @thomaschadwick,

Would you able to verify if the redirect_uri you are using is registered as SPA or installed client(native client)?

It is registered as a SPA. When we try to use 'native client' it doesn't provide a refresh token.

Gotcha! B2C has not officially started supporting SPA applications, but as we are starting to support SPA apps, we'll require code_challenge. If there is documentation that says we don't require code_challenge for SPA apps, we'll need to correct that right away.

As for the native client not being able to get a refresh token. What is being returned when you request for refresh_token? I believe you would still need to do code_challenge with native applications for refresh_token to be returned.

@yoelhor Thanks for the response. I was just reporting the error code not being in the documentation, and I think I understand why it isn't now. I am using the msal-angular library, so I'm not sure of the internals of what is going on enough to elaborate further. This was something that occurred for about 20 minutes the other day and then seemed to go back to normal. We have this registered as a SPA and for the most part it has been working as expected since November of last year.

@jakehockey10
Thank you for the quick response! Since this issue was created by you and is resolved, I'll go ahead and close out this issue.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Noticed this problem here too and I fear the client implementation we use (https://github.com/adfinis-sygroup/ember-simple-auth-oidc) lack support of the code_challenge extension.. I'm surprised of the statement that B2C doesn't officially support SPA applications, it would appear it is a supported feature in both the portal and docs. This is what the docs at https://docs.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow say about code_challenge:

Hi folks,

Summary of status and guidance. We're making documentation updates over the next day or so to clarify this scenario.

Expected configuration
Applications with platform/reply urls of type "SPA", as indicated under App registrations > Application > Authentication, should use code_challange ("PKCE") if using the authorization code flow.

Why was this not enforced previously?
The use of authorization code flow with app type of "SPA" had not yet been announced. In B2C's documentation, we still guided users towards implicit flow and had not yet documented app type=SPA with auth code. MSAL documentation and samples also indicated that this flow was not supported for Azure AD B2C. Nonetheless, there may have been some gaps in our documentation that didn't make this clear and some customers may have gotten into an end state of using auth code with app type = SPA _without_ using code_challange.

What about apps using implicit flow
Apps using implicit flow do not need (and do not support) code_challange. We had a brief bug that enforced code_challange for implicit flow if app type=SPA. This was quickly rolled back and may explain the error message for some customers who aren't using the auth code flow.

Next steps
If you're using auth code flow with app type of "SPA", you should use code_challange and update your app to do so if it's not already using it. This is a security vulnerability for you otherwise. If this is problematic for you, please file a support ticket.

We have started getting this error when a user tries to reset a password.

We are using B2C Identity Framework Experience with custom flows. As far as I tell it is B2C that is making the request for the password reset (ie this is not a call we are making from our code).

Our apps are registered as SPA, and we are using the "code" auth flow. It has been working fine for the last few months :-)

Hi @douglas-woods, please review the statement by @nickgmicrosoft. SPA was not officially supported initially, and as we are adding support we are aligning with the implementation of other products in Azure. Applications that have URLs that are registered as SPA must present code_challenge.

Hi @HarmanDhunna, yes I understand that statement, but It is B2C IEF infrastructure that is NOT sending the code_challenge (completely out of the control of our app). Who do I need to contact to see when this is going to be fixed/supported by B2C IEF??

In your application, the reset password click goes to the authorize endpoint with the password reset policy as one of the parameters. In that same request, you need to provide code_challenge. This request is not triggered by B2C. In your password reset event, your application must have some authorize URL in there you need to add code_challenge and it's value.

@HarmanDhunna Is there any guidance on what that code is and how to generate it ? Should it be unique per request ? Unique per service ? The documentation doesn't say a lot so I have no idea what to do other than hardcoding that value

It appears the code_challenge parameter is required on the requests now? The documentation says it is optional: https://docs.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow.

Old request that worked fine until today:
https://########.b2clogin.com/##########.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_GCS_SignIn&client_id=######################&nonce=defaultNonce&redirect_uri=https://#########.b2clogin.com/oauth2/nativeclient&scope=https://########.onmicrosoft.com/dot/openid%20https://#########.onmicrosoft.com/dot/offline_access&response_type=code&prompt=login

to get it to work we have to add:
&code_challenge=##################&code_challenge_method=S256

This is an electron app that gets deployed to customers. Very frustrating that we have to suddenly create a new release and deploy it ASAP. Especially after the many Microsoft outages lately.

Hi, Im having same issue with when pressing "Forgot password", how did you get the code challenge value and method?

@luklew on my side I have hardcoded both, and it works. I am waiting for a response to my last message to get some advice of how this should be implemented

@luklew and @majkelllo , please find documentation here:
B2C MSAL sample
Auth code flow reference

In general, we recommend you use an auth library like MSAL to do the code generation/etc. for you. But if not available in your platform/etc., you can read the auth code reference for an overview of how it works and what parameters are needed. That includes a link to the PKCE open standard spec for further details on the protocol.

For PKCE, we follow the OIDC spec pretty closely. Take a peek at this document. It does cover what the query parameters are, but for generating the particular values we do not have any guide.

Edit: What @nickgmicrosoft said ^ :)

Got this error too, after following the docs step by step:

1. Create B2C tenant
   https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
2. Register SPA
   https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-spa
3. Create user flow
   https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows

When validating the sign up and sign in flow, I get the error message _"The supplied request must present a code_challenge"_

Is there a way to validate things without using a library? Can we also update the documentation or fix that?

same as @HaimBendanan I am seeing this error when trying to test the user flow using Azure Portal (my app is set to SPA)