Skip to content

fix: Discovery Document metadata handling causes PKCE to be disabled for Entra ID (CIAM) #297

New issue
New issue
Open
Open
fix: Discovery Document metadata handling causes PKCE to be disabled for Entra ID (CIAM)#297
Labels
bugSomething isn't workingquestionFurther information is requestedwaiting for feedback
@Kronusus

Description

@Kronusus
Kronusus
opened on Jan 4, 2026

Description

I encountered an issue where authentication with Microsoft Entra ID (CIAM) fails with AADSTS9002325: Proof Key for Code Exchange is required. This happens because the Entra ID discovery document does not publish the code_challenge_methods_supported property, even though PKCE is required for SPA clients. The oidc package correctly parses the metadata, sees the missing field, and presumably defaults to not sending the code_challenge.

Workaround: Manually constructing OidcProviderMetadata and explicitly adding the missing field fixes the issue:

discoveryDocument: OidcProviderMetadata.fromJson({
// ... other fields from .well-known/openid-configuration
"code_challenge_methods_supported": ["S256"], // FORCE PKCE SUPPORT
}),

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingquestionFurther information is requestedwaiting for feedback

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions