Can you configure an App Registration in Entra ID to require the client to provide PKCE?

Question

Hi.

Is it possible to register an app in Entra ID and enforce that the client application must provide PKCE when it calls the /authorize endpoint?

Answer 1

Hi @Stephen Howe

No, you don't need to add any policy or configuration to implement to enforce that PKCE.

I would like to know how you registered the application as a SPA or WEB?

Authorization code flow is a protocol that enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server back to your application, PKCE adds an additional layer of security to the authorization code flow by requiring the client to generate a code challenge and a code verifier which aims to prevent interception attacks on public clients as they do not have a secret which means they do not have a real way of authenticating themselves.

PKCE is required for Single-page web applications (SPA)because they are typically considered public clients, which cannot securely store a client secret. If your application is configured as SPA, PKCE will be enabled by default.

If you request SPA application to get an authorization code with /authorize endpoint without providing PKCE parameters, it will throw an error as below.

While PKCE is not required for web API's, it is still recommended for web API's. An authorization code can be obtained to /authorize endpoint, regardless of whether you provide PKCE.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Answer 2

Hi Stephen Howe, thank you for reaching out to us.

I understand you are looking to configure an App Registration in Entra ID to require the client to provide PKCE when it calls the /authorize endpoint.

Yes, you can configure an App Registration in Entra ID to require the client to provide Proof Key for Code Exchange (PKCE) with OAuth 2.0 authorization code flow. Authentication code flow paired with Proof Key for Code Exchange (PKCE) and OpenID Connect (OIDC) to get access tokens and ID tokens for Desktop and mobile apps, single-page web application and standard web application. 

This diagram shows a high-level view of the authentication flow.

When a client application uses the Authorization Code Grant flow with PKCE, it generates a code verifier and a code challenge. The code verifier is a random string that is generated by the client application, and the code challenge is a hash of the code verifier. The client application sends the code challenge to Azure AD when it requests an authorization code. Azure AD uses the code challenge to verify the authenticity of the authorization code. 
For your reference: Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra | Microsoft Learn

Hope this helps. Do let us know if you any further queries.

Thanks,
Navya

Please remember to "Accept Answer" if answer helped you.

Answer 3

Hi,

Thanks for the response. In the documentation I see that code_challenge_method & code_challenge are listed as "recommended / required" when calling the authorize endpoint. However I can't spot a method to enforce that the client application supplies these attributes. When I test my app I can call authorize with and without these attributes. Entra ID doesn't appear to require their presence. Is there a policy or configuration item that I need to implement to enforce that PKCE is provided.

Many thanks

Stephen