Advice on using with Azure B2C OIDC, which lacks the OpenID configuration key `code_challenge_methods_supported`

### Description

[In the case of Azure B2C's OIDC implementation, configuration objects do not contain valid PKCE configuration for the code challenge method](https://learn.microsoft.com/en-us/answers/questions/218113/openid-connect-authorization-code-flow-with-proof).

However, [the docs also suggest that the method will always be `S256`](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-authorization-code). 

Example OpenID configuration:
```
{
  "token_endpoint": "https://login.microsoftonline.com/REDACTED_TENANT_ID/oauth2/v2.0/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
  ],
  "jwks_uri": "https://login.microsoftonline.com/REDACTED_TENANT_ID/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "response_types_supported": [
    "code",
    "id_token",
    "code id_token",
    "id_token token"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "offline_access"
  ],
  "issuer": "https://login.microsoftonline.com/REDACTED_TENANT_ID/v2.0",
  "request_uri_parameter_supported": false,
  "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
  "authorization_endpoint": "https://login.microsoftonline.com/REDACTED_TENANT_ID/oauth2/v2.0/authorize",
  "device_authorization_endpoint": "https://login.microsoftonline.com/REDACTED_TENANT_ID/oauth2/v2.0/devicecode",
  "http_logout_supported": true,
  "frontchannel_logout_supported": true,
  "end_session_endpoint": "https://login.microsoftonline.com/REDACTED_TENANT_ID/oauth2/v2.0/logout",
  "claims_supported": [
    "sub",
    "iss",
    "cloud_instance_name",
    "cloud_instance_host_name",
    "cloud_graph_host_name",
    "msgraph_host",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "nonce",
    "preferred_username",
    "name",
    "tid",
    "ver",
    "at_hash",
    "c_hash",
    "email"
  ],
  "kerberos_endpoint": "https://login.microsoftonline.com/REDACTED_TENANT_ID/kerberos",
  "tenant_region_scope": "EU",
  "cloud_instance_name": "microsoftonline.com",
  "cloud_graph_host_name": "graph.windows.net",
  "msgraph_host": "graph.microsoft.com",
  "rbac_url": "https://pas.windows.net"
}
```

Note the lack of a `code_challenge_methods_supported` key, which results in `oidcc` always returning a `no_supported_code_challenge` error tuple. [Relevant `oidcc` code here](https://github.com/erlef/oidcc/blob/67f1c6ddbea62063519a4b5df8f43fdb9e9f027a/src/oidcc_authorization.erl#L172-L177).

Since `oidcc` doesn't (yet) support [implicit](https://github.com/erlef/oidcc/discussions/367)/[hybrid](https://github.com/erlef/oidcc/discussions/368) flows, is there a way I can work around this limitation of Azure's OIDC offering? Perhaps a way of providing [a configuration option in `oidcc_authorization.opts()`](https://hexdocs.pm/oidcc/oidcc_authorization.html#t:opts/0-parameters)?

Any advice is appreciated. 🙏 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Advice on using with Azure B2C OIDC, which lacks the OpenID configuration key `code_challenge_methods_supported` #376

Description

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Advice on using with Azure B2C OIDC, which lacks the OpenID configuration key code_challenge_methods_supported #376

Description

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Advice on using with Azure B2C OIDC, which lacks the OpenID configuration key `code_challenge_methods_supported` #376