Share via

OIDC discovery metadata inconsistent across regions — PKCE field missing on build 2.1.22024.3

Henrik Lagerstam 15 Reputation points
2025-10-05T20:07:43.8266667+00:00

Since Oct 3 2025, our applications using Microsoft Entra ID (Azure AD) OpenID Connect have seen intermittent authentication failures. We discovered that different ESTS clusters behind https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration return different JSON metadata.

Header Value PKCE Field
x-ms-ests-server: 2.1.22024.3 - FRC ProdSlices France Central slice code_challenge_methods_supported missing
x-ms-ests-server: 2.1.22096.4 - WEULR1 ProdSlices West Europe slice code_challenge_methods_supported: ["plain","S256"]

This causes clients (IdentityServer, MSAL, OIDC middleware) that rely on discovery to mis-detect PKCE support and fail SSO.

Captured Oct 5 2025 18:34 UTC / 18:09 UTC
Endpoint:
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Impact:
Multiple production tenants intermittently fail SSO depending on which ESTS region and build they hit.

WEULR1 ProdSlices build: 2.1.22096.4
code_challenge_methods_supported - presented

// x-ms-ests-server: 2.1.22096.4 - WEULR1 ProdSlices
curl -v -H "Cache-Control: no-cache" https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
...
> GET /common/v2.0/.well-known/openid-configuration HTTP/2
< x-ms-request-id: 6663007c-3052-4dd5-b31b-1cfbf3b13200
< x-ms-ests-server: 2.1.22096.4 - WEULR1 ProdSlices
{
    "token_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
    "token_endpoint_auth_methods_supported": [
        "client_secret_post",
        "private_key_jwt",
        "client_secret_basic"
    ],
    "jwks_uri": "https://login.microsoftonline.com/common/discovery/v2.0/keys",
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "subject_types_supported": [
        "pairwise"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "code_challenge_methods_supported": [
        "plain",
        "S256"
    ],
    "response_types_supported": [
        "code",
        "id_token",
        "code id_token",
        "id_token token"
    ],
    "scopes_supported": [
        "openid",
        "profile",
        "email",
        "offline_access"
    ],
    "issuer": "https://login.microsoftonline.com/{tenantid}/v2.0",
    "request_uri_parameter_supported": false,
    "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
    "authorization_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
    "device_authorization_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/devicecode",
    "http_logout_supported": true,
    "frontchannel_logout_supported": true,
    "end_session_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/logout",
    "claims_supported": [
        "sub",
        "iss",
        "cloud_instance_name",
        "cloud_instance_host_name",
        "cloud_graph_host_name",
        "msgraph_host",
        "aud",
        "exp",
        "iat",
        "auth_time",
        "acr",
        "nonce",
        "preferred_username",
        "name",
        "tid",
        "ver",
        "at_hash",
        "c_hash",
        "email"
    ],
    "kerberos_endpoint": "https://login.microsoftonline.com/common/kerberos",
    "tenant_region_scope": null,
    "cloud_instance_name": "microsoftonline.com",
    "cloud_graph_host_name": "graph.windows.net",
    "msgraph_host": "graph.microsoft.com",
    "rbac_url": "https://pas.windows.net"
}

FRC ProdSlices build: 2.1.22024.3
code_challenge_methods_supported - missing

// x-ms-ests-server: 2.1.22024.3 - FRC ProdSlices
curl -v -H "Cache-Control: no-cache" https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
...
> GET /common/v2.0/.well-known/openid-configuration HTTP/2
< x-ms-request-id: 123749ef-6f5c-48a9-98b0-56252c907500
< x-ms-ests-server: 2.1.22024.3 - FRC ProdSlices
{
    "token_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
    "token_endpoint_auth_methods_supported": [
        "client_secret_post",
        "private_key_jwt",
        "client_secret_basic"
    ],
    "jwks_uri": "https://login.microsoftonline.com/common/discovery/v2.0/keys",
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "subject_types_supported": [
        "pairwise"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "response_types_supported": [
        "code",
        "id_token",
        "code id_token",
        "id_token token"
    ],
    "scopes_supported": [
        "openid",
        "profile",
        "email",
        "offline_access"
    ],
    "issuer": "https://login.microsoftonline.com/{tenantid}/v2.0",
    "request_uri_parameter_supported": false,
    "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
    "authorization_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
    "device_authorization_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/devicecode",
    "http_logout_supported": true,
    "frontchannel_logout_supported": true,
    "end_session_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/logout",
    "claims_supported": [
        "sub",
        "iss",
        "cloud_instance_name",
        "cloud_instance_host_name",
        "cloud_graph_host_name",
        "msgraph_host",
        "aud",
        "exp",
        "iat",
        "auth_time",
        "acr",
        "nonce",
        "preferred_username",
        "name",
        "tid",
        "ver",
        "at_hash",
        "c_hash",
        "email"
    ],
    "kerberos_endpoint": "https://login.microsoftonline.com/common/kerberos",
    "tenant_region_scope": null,
    "cloud_instance_name": "microsoftonline.com",
    "cloud_graph_host_name": "graph.windows.net",
    "msgraph_host": "graph.microsoft.com",
    "rbac_url": "https://pas.windows.net"
}

Can someone confirm whether build 2.1.22024.x of the ESTS service omitted the code_challenge_methods_supported field from the OpenID Connect discovery document at https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration ?

Confirm whether build 2.1.22096.x (or newer) re-introduces this field, and clarify if the rollout has reached the Europe / Northern Europe clusters (e.g. WEULR1, NEULR1, FRC).

Expected behavior:

The OpenID Connect discovery document should consistently include the field "code_challenge_methods_supported": ["S256", "plain"] as part of the metadata defined in RFC 8414 §2.1.

The metadata should be identical across all ESTS regional slices behind login.microsoftonline.com, ensuring clients receive the same discovery configuration regardless of the responding server.

Provide confirmation that the current configuration (with inconsistent PKCE metadata) is not intentional, and whether tenant-specific discovery endpoints are recommended as a stable workaround

Developer technologies | C#
Developer technologies | C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Surya Amrutha Vaishnavi Lanka (INFOSYS LIMITED) 810 Reputation points Microsoft External Staff
    2025-10-06T11:16:28.2266667+00:00

    Here are some steps that are recommended to

    1. Use tenant-specific discovery endpoints, rather than the “common” endpoint, to limit routing to a smaller set of ESTS nodes. This reduces inconsistency risk.
    2. Cache / pin discovery metadata in your application, rather than re-fetching on every request.
    3. Override or inject code_challenge_methods_supported in your client logic / middleware when missing (if your library allows).
    4. Monitor via the Microsoft Q&A thread or service health (Azure status / identity platform updates) for the announcement of a full rollout.

    You may contact Microsoft Support and request their internal telemetry confirming whether 2.1.22024.x indeed dropped that field, and if 2.1.22096.x rollout has completed in Europe slices.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.