I have setup my application to use Azure B2C's Implicit Flow token strategy to give me tokens via the post-signup/signin login in the URI. This works fine and the tokens authorize without a hitch.
However, the client is an SPA, so when the token expires, the documented workaround suggested by Microsoft is to use an iframe that makes a call to the authorize endpoint as documented here: Get Access Tokens
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id={my_client_id}&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=openid&response_mode=fragment&state=12345&nonce=678910&prompt=none&domain_hint=organizations&[email protected]
Unfortunately if I request an id_token using the openid scope with this endpoint, the token that's actually returned does not authorize via B2C in my API. Examining the JWT token in a decoder also shows that the token itself looks different than the one given post-signin from B2C.
I realize this documentation is for Azure Active Directory and that B2C doesn't support SPAs at this point, but I had heard from Microsoft representatives previously that this should work.
Is this really not supported yet? And if not, are there any workarounds for SPAs?
