I have set up a B2C identity provider pointing to the online test version of IdentityServer4:
https://demo.identityserver.io
My app registration is for a SPA application.
My user policy is a standard SUSI one.
Using the "Run now" option, the following parameters are sent:
p: B2C_1_SUSI_B2C
client_id: 5e58...620a
nonce: defaultNonce
redirect_uri: https://jwt.ms
scope: openid
response_type: code
prompt: login
code_challenge_method: S256
code_challenge: D9pGhYDch4f8F3V0MsDvaEQWH3-ssqucs3ixxTAgX6k
This contains the PKCE parameters as expected.
I get the B2C login screen and click the IdentityServer4 button.
The following parameters are sent to IdentityServer4:
client_id: interactive.public
redirect_uri: https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/authresp
response_type: code
scope: openid
response_mode: form_post
nonce: HZ0avacgvKw5Jyp6W4k1Tw==
ui_locales: en-US
state: StateProperties=eyJTSUQiOiJ4....
Notice that there are no longer any PKCE parameters.
IdentityServer4 responds:
Error
Sorry, there was an error : invalid_request
code challenge required
How do you get the PKCE parameters to be forwarded?
This is not possible right now. There is also almost no value to use PKCE here as it is a confidential client flow.