Proof Key for Code Exchange is required for cross-origin authorization code redemption error

Problem statement

We have set up a new Social connection with Microsoft, but when trying to test logins we are seeing the following error:

{
  "error": "access_denied",
  "error_description": "Proof Key for Code Exchange is required for cross-origin authorization code redemption."
}

Cause

This error occurred because the redirect URI configured on the Azure side was set using the Single Page Application setting.

Auth0 uses the standard Authorization Code flow with Azure for these social connections, so these redirect URIs need to be set up as Web redirect URIs, and not under Single Page Applications.

Solution

Add a new platform:

Select “Web” and add your tenant’s callback URI, “https://{AUTH0_DOMAIN}/login/callback”, you should see something like this once it is setup:

Currently, with your setup, Azure is treating Auth0 as a SPA and requiring the PKCE exchange. Adding your tenant’s /login/callback URL to the Web redirect URIs should allow the flow to complete.