We on the Azure AD B2C team are looking to expand our OpenID Connect standards compliance, and increase support for 3rd party libraries such as the OIDCAndroidLib for Android. As part of this, we’re looking to fix a formatting issue that we’ve identified, which may impact some existing customers.
- You are using native apps, or using the Confidential Client flow by redeeming an auth code with a client_secret. If you are using only the Implicit flow, you are not impacted.
- AND you have written your own code to parse B2C’s web response from the /token endpoint (instead of using an existing library).
Specifically, this change will fix the existing way all numeric values, such as “expires_in”, are presented to the client from <expires_in:”3600”> to the standards-compliant <expires_in:3600>, without quotes.
If you have written your own code to parse these values from the /token endpoint, then you should either:
- Change your custom parsing logic to accept the JSON numbers format.
- Switch to using a library to communicate and parse responses from B2C.
- File a support ticket against our service to request for your tenant to not receive this update. Use the title "Azure AD B2C: Request for JSON numbers exemption: [<your_tenant_domain_here, e.g., contosob2c.onmicrosoft.com>]”.