You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| redirect_uri |Required |The redirect URI of your app, where authentication responses are sent and received by your app. It must exactly match one of the redirect URIs that you registered in the portal, except that it must be URL-encoded. |
70
70
| scope |Required |A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application needs a *refresh token* for extended access to resources. The client-id indicates the token issued are intended for use by Azure AD B2C registered client. The `https://{tenant-name}/{app-id-uri}/{scope}` indicates a permission to protected resources, such as a web API. For more information, see [Request an access token](access-tokens.md#scopes). |
71
71
| response_mode |Recommended |The method that you use to send the resulting authorization code back to your app. It can be `query`, `form_post`, or `fragment`. |
72
-
| state |Recommended |A value included in the request that can be a string of any content that you want to use. Usually, a randomly generated unique value is used, to prevent cross-site request forgery attacks. The state also is used to encode information about the user's state in the app before the authentication request occurred. For example, the page the user was on, or the user flow that was being executed. |
73
72
| prompt |Optional |The type of user interaction that is required. Currently, the only valid value is `login`, which forces the user to enter their credentials on that request. Single sign-on won't take effect. |
74
73
| code_challenge | recommended / required | Used to secure authorization code grants via Proof Key for Code Exchange (PKCE). Required if `code_challenge_method` is included. You need to add logic in your application to generate the `code_verifier` and `code_challenge`. The `code_challenge` is a Base64 URL-encoded SHA256 hash of the `code_verifier`. You store the `code_verifier` in your application for later use, and send the `code_challenge` along with the authorization request. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). This is now recommended for all application types - native apps, SPAs, and confidential clients like web apps. |
75
74
|`code_challenge_method`| recommended / required | The method used to encode the `code_verifier` for the `code_challenge` parameter. This *SHOULD* be `S256`, but the spec allows the use of `plain` if for some reason the client can't support SHA256. <br/><br/>If you exclude the `code_challenge_method`, but still include the `code_challenge`, then the `code_challenge` is assumed to be plaintext. Microsoft identity platform supports both `plain` and `S256`. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). This is required for [single page apps using the authorization code flow](tutorial-register-spa.md).|
76
75
| login_hint | No| Can be used to prefill the sign-in name field of the sign-in page. For more information, see [Prepopulate the sign-in name](direct-signin.md#prepopulate-the-sign-in-name). |
77
76
| domain_hint | No| Provides a hint to Azure AD B2C about the social identity provider that should be used for sign-in. If a valid value is included, the user goes directly to the identity provider sign-in page. For more information, see [Redirect sign-in to a social provider](direct-signin.md#redirect-sign-in-to-a-social-provider). |
78
77
| Custom parameters | No| Custom parameters that can be used with [custom policies](custom-policy-overview.md). For example, [dynamic custom page content URI](customize-ui-with-html.md?pivots=b2c-custom-policy#configure-dynamic-custom-page-content-uri), or [key-value claim resolvers](claim-resolver-overview.md#oauth2-key-value-parameters). |
78
+
| state |Recommended |A value included in the request that can be a string of any content that you want to use. Usually, a randomly generated unique value is used, to prevent cross-site request forgery attacks. The state also is used to encode information about the user's state in the app before the authentication request occurred. For example, the page the user was on, or the user flow that was being executed. |
79
+
80
+
> [!IMPORTANT]
81
+
> For security and privacy, do not put URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage, such as localStorage or sessionStorage. This approach lets your app securely reference the necessary data after authentication.
79
82
80
83
At this point, the user is asked to complete the user flow's workflow. This might involve the user entering their username and password, signing in with a social identity, signing up for the directory, or any other number of steps. User actions depend on how the user flow is defined.
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/phone-based-mfa.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ author: kengaderdus
7
7
manager: CelesteDG
8
8
ms.service: azure-active-directory
9
9
ms.topic: how-to
10
-
ms.date: 1/21/2025
10
+
ms.date: 1/23/2025
11
11
ms.author: kengaderdus
12
12
ms.subservice: b2c
13
13
ms.custom: sfi-image-nochange
@@ -144,8 +144,8 @@ To help prevent fraudulent sign-ups, remove any country/region codes that do not
144
144
</RelyingParty>
145
145
</TrustFrameworkPolicy>
146
146
```
147
-
> [!IMPORTANT]
148
-
>Add the code in step 2 to the _relying party policy_ to enforce country/region code restrictions on the server side. You must not define these elements only in parent policies; put them in the relying party policy.
147
+
> [!IMPORTANT]
148
+
>Add the code in step 2 to the _relying party policy_ to enforce country/region code restrictions on the server side. You must not define these elements only in parent policies; put them in the relying party policy.
149
149
150
150
1. In the `BuildingBlocks` section of this policy file, add the following code. Make sure to include only the country/region codes relevant to your organization:
Copy file name to clipboardExpand all lines: articles/api-center/authorize-api-access.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,11 +1,11 @@
1
1
---
2
2
title: Configure API access in Azure API Center
3
3
description: Learn how to configure access to APIs in the Azure API Center inventory using API keys or OAuth 2.0 authorization. Users authorized for access can test APIs in the API Center portal.
4
-
author: dlepow
4
+
5
5
ms.service: azure-api-center
6
6
ms.topic: how-to
7
7
ms.date: 06/02/2025
8
-
ms.author: danlep
8
+
9
9
ms.custom:
10
10
# Customer intent: As an API program manager, I want to store API authorization information in my API center and enable authorized users to test APIs in the API Center portal.
Copy file name to clipboardExpand all lines: articles/api-center/build-register-apis-vscode-extension.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,12 @@
1
1
---
2
2
title: Build and Register APIs - VS Code Extension
3
3
description: Learn how API developers can use the Azure API Center extension for Visual Studio Code to build and register APIs in their organization's API center.
4
-
author: dlepow
4
+
5
5
ms.service: azure-api-center
6
6
ms.topic: how-to
7
7
ms.date: 08/28/2025
8
8
ms.update-cycle: 180-days
9
-
ms.author: danlep
9
+
10
10
ms.collection: ce-skilling-ai-copilot
11
11
ms.custom:
12
12
# Customer intent: As an API developer, I want to use my Visual Studio Code environment to register APIs in my organization's API center as part of my development workflow.
Copy file name to clipboardExpand all lines: articles/api-center/customize-api-center-portal.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,12 @@
1
1
---
2
2
title: Customize the API Center Portal
3
3
description: Learn about settings you can customize in your Azure API Center portal.
4
-
author: dlepow
4
+
5
5
ms.service: azure-api-center
6
6
ms.topic: how-to
7
7
ms.date: 08/07/2025
8
8
ms.update-cycle: 180-days
9
-
ms.author: danlep
9
+
10
10
ms.custom:
11
11
ms.collection: ce-skilling-ai-copilot
12
12
# Customer intent: As an API program manager, I want to customize the Azure-managed portal for developers and other API stakeholders in my organization.
Copy file name to clipboardExpand all lines: articles/api-center/design-api-github-copilot-azure.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,12 @@
1
1
---
2
2
title: Develop APIs with GitHub Copilot for Azure - API Center plugin
3
3
description: With AI assistance, API developers can use the Azure API Center plugin for GitHub Copilot for Azure to design and develop compliant APIs.
4
-
author: dlepow
4
+
5
5
ms.service: azure-api-center
6
6
ms.topic: how-to
7
7
ms.date: 09/26/2025
8
8
ms.update-cycle: 180-days
9
-
ms.author: danlep
9
+
10
10
ms.collection: ce-skilling-ai-copilot
11
11
ms.custom:
12
12
# Customer intent: As an API developer, I want to use my Visual Studio Code environment and GitHub Copilot for Azure to generate Open API specs from natural language prompts.
0 commit comments