Azure B2C 身份验证与隐式授权流程

Question

I'm using an Azure B2C Tenant which has some users. I created an application and in the authentication I choose web . I deselected the implicit grant flow because I was getting the warning This app has implicit grant settings enabled. If you are using any of these URIs in a SPA with MSAL.js 2.0, you should migrate URIs. This app has implicit grant settings enabled. If you are using any of these URIs in a SPA with MSAL.js 2.0, you should migrate URIs. I selected Local only and no other provider. I also have a Sing In User flow. I could not even see the login page from my C# ASP.NET application with those settings. So I selected the implicit flow . That solved the problem and I can see the login page and can login.

My question is why should I need am implicit flow for a web authentication.

Answer 1

You don't need implicit flow unless you are using older versions of MSAL ie, MSAL1.XXX version.

The latest version of MSAL.js ie, MSAL 2.XXX version only works with the authorization code flow with PKCE instead of implicit flow. So you need to implement PKCE flow instead of implicit Grand.

If you are using latest version of MSAL please don't use Access_token and id_token settings which will enable implicit flow.

Answer 2

If you're using the Microsoft Identity Web authentication library or one of the Microsoft Identity Web project templates, then it passes response_type=code id_token in the authorization request, which represents the hybrid flow .

This is why you must select the "ID tokens" settings for the application registration.