Hi Rob,
I did some research on this topic and found that the behavior you are describing is due to a known limitation with B2C.
According to the RFC:
RFC 6749 - The OAuth 2.0 Authorization Framework (ietf.org)
Authentication code should be used one time.
With standard Azure AD, a fix was released in 2018:
Azure Active Directory breaking changes reference | Microsoft Docs
This is because B2C is completely stateless and does not follow the (OTP RFC) standard here. Standard Azure AD made engineering provisions to track and invalidate AuthZ codes back in 2018, but Azure AD B2C has not completed this work yet. B2C would have to become a stateful service and this is a large investment. So while this is a known issue, this work is not completed at this time. I have shared feedback with the product team about this but you are also welcome to do so in https://feedback.azure.com/
A workaround is to use the nonce claim.
See also: B2C nonce
Let me know if this helps. I've also bubbled this concern with the product team and will update this thread if they get back with additional information.
-
If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar issues.