Important change notification for developers parsing Azure AD B2C responses outside of a library, effective December 13th, 2016


Impact: While most Azure AD B2C customers will be unaffected, those that are affected may fail to parse authentication responses from the B2C service.

Hello developers,

We on the Azure AD B2C team are looking to expand our OpenID Connect standards compliance, and increase support for 3rd party libraries such as the OIDCAndroidLib for Android. As part of this, we’re looking to fix a formatting issue that we’ve identified, which may impact some existing customers.

This issue may impact you if:
  • You are using native apps, or using the Confidential Client flow by redeeming an auth code with a client_secret. If you are using only the Implicit flow, you are not impacted.
  • AND you have written your own code to parse B2C’s web response from the /token endpoint (instead of using an existing library).

Specifically, this change will fix the existing way all numeric values, such as “expires_in”, are presented to the client from <expires_in:”3600”> to the standards-compliant <expires_in:3600>, without quotes.

If you have written your own code to parse these values from the /token endpoint, then you should either:

  • Change your custom parsing logic to accept the JSON numbers format.
  • Switch to using a library to communicate and parse responses from B2C.
  • File a support ticket against our service to request for your tenant to not receive this update. Use the title “Azure AD B2C: Request for JSON numbers exemption: [<your_tenant_domain_here, e.g., contosob2c.onmicrosoft.com>]”.

Please write to us at aaddev@microsoft.com if you have any questions or concerns.
– Swaroop K (@swaroop_kmurthy)


Comments (0)

Skip to main content