Why does Azure AD B2C redirect with a code instead of id_token?

Question

I'm trying to set up AD B2C and am following along with various tutorials I've found online. I'm at the point where I'm testing user flows. I can successfully login, but when I'm redirected to https://jwt.ms, it shows me nothing:

However, I noticed that my URL differs from that shown in tutorials. It has a code instead of id_token:

https://jwt.ms/?code=eyJraW...

I've been trying to figure out what is causing B2C to redirect with a code rather than ID token, but have been unsuccessful. Can anyone tell me why this might be occurring?

UPDATE

OK, I see what's causing this now, but don't really understand where my setup differs from what I'm seeing in tutorials. I found that if I enable implicit grants on my app registration as follows:

Then everything works as expected. Note that I have to enable both.

I also noticed that when I test a user flow, the status of those implicit grants determines whether it has response_type=code or response_type=id_token in the authorization URL:

There doesn't seem to be a way to set the desired response_type from within the test user flow UI other than changing the status of the implicit grants. Maybe this is a change of behavior in the Azure portal since the tutorials were made...?

Answer 1

As you have found, if we set Implicit grant in Azure AD app, the user flow endpoint will generate response_type=id_token instead of response_type=code. It is by-design of Azure AD B2C user flow.

If we don't do this, response_type=code means it is authorization code flow， that is why you get this: https://jwt.ms/?code=eyJraW....

I'm not sure why you want to change the response_type in other ways. It should be the easiest. But if you want to change it manually, just click the copy button, change the response_type value, and then access it in the browser.