skip to Main Content

I’m using the OAuth 2.0 authorization code flow , but I noticed that I’m able to reuse the same authorization code and the server responds with a new id token.

And as per OAuth 2.0 specifications, The client MUST NOT reuse the same authorization code (https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2)

Am I missing any settings in my policy? The only documentation that I found about code authorization code flow in AzureB2C is the following: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#authorization-code-lifetime

POSTMAN

Edited:

I generated the auth-code by using below endpoint:

https://tenant.b2clogin.com/tenant/policy/oauth2/v2.0/authorize?client_id=clientid&response_type=code&redirect_uri=https://jwt.ms&scope=openid&response_mode=query&code_challenge=codechallenge&code_challenge_method=S256

I generated the access token by using parameters like below:

enter image description here

But still able to generate tokens using same code

enter image description here

Here’s my new app:

enter image description here

2

Answers


  1. I tried to reproduce the same in my environment and got the error like below when I tried to reuse the auth-code:

    enter image description here

    I created an Azure AD B2C application and added SPA redirect Uri like below:

    enter image description here

    I generated the auth-code by using below endpoint:

    https://tenant.b2clogin.com/tenant.onmicrosoft.com/policy/oauth2/v2.0/authorize?
    client_id=ClientID
    &response_type=code
    &redirect_uri=RedirectUri
    &response_mode=query
    &scope=scope
    &state=state
    &code_challenge=codechallenge
    &code_challenge_method=S256
    

    enter image description here

    I generated the access token by using parameters like below:

    https://tenant.b2clogin.com/tenant.onmicrosoft.com/policy/oauth2/v2.0/token 
    
    grant_type=authorization_code
    &client_id=ClientID
    &scope=scope
    &redirect_uri=redirectUri
    &code_verifier=codeverifier
    

    enter image description here

    When I tried to reuse the code, I got the error as below:

    enter image description here

    Note that: By default, the auth-code lifetime in Azure AD B2C is 10 minutes, and it cannot be changed.

    • By default, Azure AD B2C will not generate the token if the auth-code is already used.
    • Make sure to use https to transmit the auth-code.
    • While generating the auth-code make sure to receive the prompt while signing in by using prompt in the authorize endpoint.
    • If still the issue persists, try by registering a new application and check.

    Reference:

    Updates and breaking changes – Microsoft Entra

    Login or Signup to reply.
  2. If you are not using a nonce claim, this expected behavior due to a known limitation with B2C.

    According to the RFC (6749) – The OAuth 2.0 Authorization Framework

    The authentication code should be used one time.

    With standard Azure AD, a fix was released in 2018:

    Azure Active Directory breaking changes reference | Microsoft Docs

    This is because B2C is stateless and does not follow the OTP RFC standard here. Standard Azure AD made engineering provisions to track and invalidate AuthZ codes back in 2018, but Azure AD B2C has not completed this work yet. B2C would have to become a stateful service and this is a significant investment. So while this is a known issue, this work is not completed at this time.

    A workaround is to use the nonce claim.

    See also: B2C nonce

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search