Share via

Azure AD B2C

Fispoke DevOps 20 Reputation points
2026-02-26T09:52:25.1433333+00:00

Summary

Azure AD B2C: PKCE & invalid_request errors during sign‑in with OIDC (Microsoft Entra ID) identity provider in User Flow B2C_1_NONMFA.

Problem Description

We are experiencing authentication failures when users attempt to sign in to our Angular SPA using Azure AD B2C User Flow B2C_1_NONMFA, with Microsoft Entra ID (Work/School Account) configured as an OpenID Connect (OIDC) identity provider.

After selecting the Microsoft Work/School account as the IdP, the login redirects back to our application with the following errors:

Error received at redirect URL

AADB2C90273: An invalid response was received: ‘Error: invalid_request,
Error Description: AADSTS9002325: Proof Key for Code Exchange is required
for cross-origin authorization code redemption.’

We are also intermittently receiving:

AADB2C90238: The provided token does not contain a valid issuer.

These errors occur only when the user authenticates via the external OIDC identity provider (Microsoft Entra ID). Local B2C accounts authenticate successfully.

Steps to Reproduce

  1. Open Angular SPA at http://localhost:4200/firmlogin.
  2. Invoke sign-in via User Flow B2C_1_NONMFA.
  3. Choose the Microsoft Work/School identity provider (custom OIDC provider).
  4. Enter valid credentials.
  5. User is redirected back to the SPA with the above error in the URL and browser console.

Expected Behavior

  • User should authenticate successfully via the Microsoft Entra ID OIDC identity provider.
  • B2C should redeem the authorization code using PKCE and issue an ID token to the SPA.
  • Application should load normally after successful sign-in.

Actual Behavior

  • B2C returns invalid_request and AADSTS9002325 PKCE required errors.
  • The SPA fails to complete the authorization code redemption.
  • The browser console logs PKCE‑related errors: 
AADB2C90273: An invalid response was received.
Error: invalid_request, AADSTS9002325: Proof Key for Code Exchange is required.

What We Have Already Validated

  • OIDC Metadata URL is set to: https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration
  • OIDC Redirect URI in the external Entra ID app: `https://
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Answer accepted by question author
  1. Rukmini 29,390 Reputation points Microsoft External Staff Moderator
    2026-02-26T10:52:58.7633333+00:00

    Hello Fispoke DevOps,

    The Azure AD B2C wrapper error AADB2C90273 indicates that the external IdP returned a failure. In reality, the failure is:

    • AADSTS9002325:In order to redeem a cross-origin authorization code, the Proof Key for Code Exchange is necessary. The source of this problem is Microsoft Entra ID.
    • The underlying cause In order to enforce PKCE, the external Entra ID app registration is set up as a SPA/Public client. Entra ID rejects the request because Azure AD B2C does not use PKCE and instead redeems the authorization code as a confidential backend client.

    Entra ID rejects the request because Azure AD B2C does not use PKCE and instead redeems the authorization code as a confidential backend client.

    After converting the app to a confidential Web application, the PKCE error and AADB2C90273 will be resolved.

    The error "AADB2C90238: The provided token does not contain a valid issuer" shows a issuer mismatch between Azure AD B2C and the external IdP token.

    The OIDC is configured as

    YAML

     https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration

    Issuer validation fails when organizations is used because the token issuer (iss) becomes tenant-specific and does not precisely match what B2C wants.

    Hence to resolve the error, Change the OIDC metadata URL in B2C to the endpoint that is tenant specific endpoint:

    YAML

    https://login.microsoftonline.com/<External-Tenant-ID>/v2.0/.well-known/openid-configuration

    Use the GUID Tenant ID, not organizations.

    The issuer validation problem (AADB2C90238) will be fixed after the tenant-specific metadata endpoint has been updated.

    The error "AADB2C90273 AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption" Verifies that the external Microsoft Entra ID app is still in use to enforce PKCE. This is not a B2C problem.

    When B2C redeems the authorization token, Entra needs PKCE since the external IdP application is still regarded as a public/SPA client.

    Hence to resolve the error,

    In the external Microsoft Entra ID App Registration:

    1. Remove Single-Page Application (SPA) platform completely
    2. Ensure only Web platform exists
    3. Add redirect URI under Web: https://<b2c-tenant>.b2clogin.com/<b2c-tenant>.onmicrosoft.com/oauth2/authresp
    4. Create a client secret and configure it in Azure AD B2C OIDC IdP settings
    5. If you have enabled Allow public client flows then set it as NO

    The external app's configuration as a public client is the cause of the failure. The PKCE problem and AADB2C90273 will be fixed if the application is strictly converted to a secret Web application.

    If the resolution was helpful, kindly take a moment to click on 210246-screenshot-2021-12-10-121802.pngand click on Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.