I have an Azure B2C tenant with Google IDP which is set exactly how MS documentation states. However I can see a problem with this login to Google as IDP.
When I click a Google login button on an Azure B2C login site I can copy the authentication request from developer console. Then I can change the "response_type" part of the request from "code" to "token" and re-send this request. After login I am able to retrieve "access_token" from Google.
Token transported in this way may be accessed by malicious browser extensions, third-party JavaScript stored in proxy caches or a shared computer's cache. Unlike the code response type the token may be used more than once.
Is there anything what I can do to prevent this behaviour?
I was able to fix this behavior using Azure B2C with custom domains (AFD). In Premium AFD for B2C I published WAF policy and I set rules to prevent this behavior.