I’m using the OAuth 2.0 authorization code flow , but I noticed that I’m able to reuse the same authorization code and the server responds with a new id token.
And as per OAuth 2.0 specifications, The client MUST NOT reuse the same authorization code (https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2)
Am I missing any settings in my policy? The only documentation that I found about code authorization code flow in AzureB2C is the following: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#authorization-code-lifetime
Edited:
I generated the auth-code by using below endpoint:
https://tenant.b2clogin.com/tenant/policy/oauth2/v2.0/authorize?client_id=clientid&response_type=code&redirect_uri=https://jwt.ms&scope=openid&response_mode=query&code_challenge=codechallenge&code_challenge_method=S256
I generated the access token by using parameters like below:
But still able to generate tokens using same code
Here’s my new app:
2
Answers
I tried to reproduce the same in my environment and got the error like below when I tried to reuse the auth-code:
I created an Azure AD B2C application and added SPA redirect Uri like below:
I generated the auth-code by using below endpoint:
I generated the access token by using parameters like below:
When I tried to reuse the code, I got the error as below:
prompt
in the authorize endpoint.Reference:
Updates and breaking changes – Microsoft Entra
If you are not using a nonce claim, this expected behavior due to a known limitation with B2C.
According to the RFC (6749) – The OAuth 2.0 Authorization Framework
The authentication code should be used one time.
With standard Azure AD, a fix was released in 2018:
Azure Active Directory breaking changes reference | Microsoft Docs
This is because B2C is stateless and does not follow the OTP RFC standard here. Standard Azure AD made engineering provisions to track and invalidate AuthZ codes back in 2018, but Azure AD B2C has not completed this work yet. B2C would have to become a stateful service and this is a significant investment. So while this is a known issue, this work is not completed at this time.
A workaround is to use the nonce claim.
See also: B2C nonce