Skip to content

docs(b2c): enhance access token request documentation for Azure AD B2C#128560

Open
tanvishinde017 wants to merge 8 commits into
MicrosoftDocs:mainfrom
tanvishinde017:main
Open

docs(b2c): enhance access token request documentation for Azure AD B2C#128560
tanvishinde017 wants to merge 8 commits into
MicrosoftDocs:mainfrom
tanvishinde017:main

Conversation

@tanvishinde017

Copy link
Copy Markdown

No description provided.

@prmerger-automator

Copy link
Copy Markdown
Contributor

@tanvishinde017 : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change.

@learn-build-service-prod

Copy link
Copy Markdown
Contributor

Learn Build status updates of commit 9178c92:

💡 Validation status: suggestions

File Status Preview URL Details
articles/active-directory-b2c/access-tokens.md 💡Suggestion Details

articles/active-directory-b2c/access-tokens.md

  • Line 12, Column 16: [Suggestion: value-deprecated-replace - See documentation] The 'ms.service: azure-active-directory, ms.subservice: b2c' you used is now deprecated and can no longer be used. We suggest you replace it with 'ms.service: entra-id, ms.subservice: b2c'.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

@prmerger-automator

Copy link
Copy Markdown
Contributor

PRMerger Results

Issue Description
File Change Percent This PR contains file(s) with more than 30% file change.

@learn-build-service-prod

Copy link
Copy Markdown
Contributor

Learn Build status updates of commit 3e8e035:

💡 Validation status: suggestions

File Status Preview URL Details
articles/active-directory-b2c/access-tokens.md 💡Suggestion Details
redirects/.openpublishing.redirection.ansible.json ✅Succeeded

articles/active-directory-b2c/access-tokens.md

  • Line 12, Column 16: [Suggestion: value-deprecated-replace - See documentation] The 'ms.service: azure-active-directory, ms.subservice: b2c' you used is now deprecated and can no longer be used. We suggest you replace it with 'ms.service: entra-id, ms.subservice: b2c'.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

@prmerger-automator

Copy link
Copy Markdown
Contributor

PRMerger Results

Issue Description
File Change Percent This PR contains file(s) with more than 30% file change.
Json File This PR contains json file(s).

@ttorble ttorble requested a review from Copilot June 8, 2026 14:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the Azure AD B2C access token request documentation to be clearer and more structured for developers requesting tokens for web apps and web APIs.

Changes:

  • Reworked the end-of-sale notice and improved readability of the introductory notes.
  • Expanded scope explanation with clearer examples and formatting.
  • Improved the authorization code + token exchange walkthrough, including tool suggestions and response sections.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +19 to +20
> [!NOTE]
> Azure Active Directory B2C is approaching end of sale. See the Azure AD B2C end-of-sale announcement for more information.
Comment on lines +104 to +111
| Placeholder | Description |
|-------------|-------------|
| `<tenant-name>` | Name of your Azure AD B2C tenant. If you're using a custom domain, replace `tenant-name.b2clogin.com` with your custom domain. |
| `<policy-name>` | Name of your user flow or custom policy. |
| `<application-ID>` | Application (client) ID of the web application. |
| `<application-ID-URI>` | Application ID URI configured under **Expose an API**. |
| `<scope-name>` | Scope name configured under **Expose an API**. |
| `<redirect-uri>` | Redirect URI registered for the application. |
## Example decoded access token

When you inspect the token using `https://jwt.ms`, the payload resembles:

@ttorble

ttorble commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

@kengaderdus

Can you review the proposed changes? This content requires automated and human checks available only in the private repository. Please close this PR (#please-close) and move the commits to the private repository. If you need help moving the commits, contact the publicprs alias.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

@ttorble ttorble added the aq-pr-triaged tracking label for the PR review team label Jun 8, 2026
@learn-build-service-prod

Copy link
Copy Markdown
Contributor

Learn Build status updates of commit 94af2d6:

❌ Validation status: errors

Please follow instructions here which may help to resolve issue.

File Status Preview URL Details
❌Error Details

  • [Error: CannotMergeCommit] Cannot merge commit 94af2d6ba1bb93957197100624870f247e97360f in branch main of repository https://github.com/tanvishinde017/azure-docs into branch main (commit ece4701867335f83c314d170f76f6f50865a2646). Please follow this documentation: https://help.github.com/articles/resolving-a-merge-conflict-using-the-command-line/ to use git.exe to resolve you content conflicts locally and then push to remote.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

@learn-build-service-prod

Copy link
Copy Markdown
Contributor

Learn Build status updates of commit 90244d9:

❌ Validation status: errors

Please follow instructions here which may help to resolve issue.

File Status Preview URL Details
❌Error Details

  • [Error: CannotMergeCommit] Cannot merge commit 90244d998fd98d5e2ce2bdcfbae741977f41dc8d in branch main of repository https://github.com/tanvishinde017/azure-docs into branch main (commit ece4701867335f83c314d170f76f6f50865a2646). Please follow this documentation: https://help.github.com/articles/resolving-a-merge-conflict-using-the-command-line/ to use git.exe to resolve you content conflicts locally and then push to remote.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

@learn-build-service-prod

Copy link
Copy Markdown
Contributor

Learn Build status updates of commit 5844e64:

⚠️ Validation status: warnings

File Status Preview URL Details
articles/active-directory-b2c/access-tokens.md ⚠️Warning Details
README.md ✅Succeeded
redirects/.openpublishing.redirection.ansible.json ✅Succeeded

articles/active-directory-b2c/access-tokens.md

  • Line 9, Column 1: [Warning: yaml-duplicate-key] Key 'ms.service' is already defined, remove the duplicate key.
  • Line 9, Column 1: [Warning: yaml-duplicate-key] Key 'ms.service' is already defined, remove the duplicate key.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

@kushdab

kushdab commented Jun 25, 2026

Copy link
Copy Markdown

Great improvement to the access token docs! While reviewing this PR, I noticed an additional gap worth addressing in the same section: the authorization code flow examples are missing PKCE (code_challenge / code_verifier).

Why it matters

PKCE (Proof Key for Code Exchange) is required for public clients (SPAs, mobile apps) under OAuth 2.1, and strongly recommended for all authorization code flows. As-is, the doc teaches a pattern that Microsoft's own security guidance flags as a risk — an intercepted authorization code can be exchanged without code_verifier proof.

Suggested addition

Step 1 — Generate a code verifier and challenge (add before the authorize request)

import os, hashlib, base64

code_verifier = base64.urlsafe_b64encode(os.urandom(32)).rstrip(b'=').decode()
code_challenge = base64.urlsafe_b64encode(
    hashlib.sha256(code_verifier.encode()).digest()
).rstrip(b'=').decode()

Step 2 — Authorization request (add code_challenge params)

GET https://<tenant-name>.b2clogin.com/...
  ...
  &code_challenge=<code_challenge>
  &code_challenge_method=S256

Step 3 — Token request (add code_verifier)

grant_type=authorization_code
&client_id=<application-ID>
&scope=...
&code=<authorization-code>
&redirect_uri=...
&code_verifier=<code_verifier>

Also worth noting: the example token response in the doc omits refresh_token even though offline_access is listed as a supported scope above it — that trips up developers who don't see it in the JSON and assume something is broken.

Happy to contribute these changes directly if it helps move this PR forward.

@v-dirichards

Copy link
Copy Markdown
Contributor

Great improvement to the access token docs! While reviewing this PR, I noticed an additional gap worth addressing in the same section: the authorization code flow examples are missing PKCE (code_challenge / code_verifier).

Why it matters

PKCE (Proof Key for Code Exchange) is required for public clients (SPAs, mobile apps) under OAuth 2.1, and strongly recommended for all authorization code flows. As-is, the doc teaches a pattern that Microsoft's own security guidance flags as a risk — an intercepted authorization code can be exchanged without code_verifier proof.

Suggested addition

Step 1 — Generate a code verifier and challenge (add before the authorize request)

import os, hashlib, base64

code_verifier = base64.urlsafe_b64encode(os.urandom(32)).rstrip(b'=').decode()
code_challenge = base64.urlsafe_b64encode(
    hashlib.sha256(code_verifier.encode()).digest()
).rstrip(b'=').decode()

Step 2 — Authorization request (add code_challenge params)

GET https://<tenant-name>.b2clogin.com/...
  ...
  &code_challenge=<code_challenge>
  &code_challenge_method=S256

Step 3 — Token request (add code_verifier)

grant_type=authorization_code
&client_id=<application-ID>
&scope=...
&code=<authorization-code>
&redirect_uri=...
&code_verifier=<code_verifier>

Also worth noting: the example token response in the doc omits refresh_token even though offline_access is listed as a supported scope above it — that trips up developers who don't see it in the JSON and assume something is broken.

Happy to contribute these changes directly if it helps move this PR forward.

@tanvishinde017 Can you respond to the requested changes?

@kushdab - When the changes are ready for publication, adding a #sign-off comment is the best way to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants