(AzureCXP) Fixing Access Token Info

Frank Hu · web-flow · commit 67c22e08f323 · 2019-10-15T12:10:01.000-07:00
The doc describes when getting an access token you can use form_post or query, but you should only be using the fragment in the implicit flow with aad b2c. GitHub Issue Reference: https://github.com/MicrosoftDocs/azure-docs/issues/40511 cc: @mmacy
diff --git a/articles/active-directory-b2c/active-directory-b2c-reference-spa.md b/articles/active-directory-b2c/active-directory-b2c-reference-spa.md
@@ -167,7 +167,7 @@ client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6
 | response_type |Required |Must include `id_token` for OpenID Connect sign-in.  It might also include the response type `token`. If you use `token` here, your app can immediately receive an access token from the authorize endpoint, without making a second request to the authorize endpoint. If you use the `token` response type, the `scope` parameter must contain a scope that indicates which resource to issue the token for. |
 | redirect_uri |Recommended |The redirect URI of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except that it must be URL-encoded. |
 | scope |Required |A space-separated list of scopes.  For getting tokens, include all scopes that you require for the intended resource. |
-| response_mode |Recommended |Specifies the method that is used to send the resulting token back to your app.  Can be `query`, `form_post`, or `fragment`. |
+| response_mode |Recommended |Specifies the method that is used to send the resulting token back to your app. For Implicit Flow you will need to use `fragment`. Other modes that will not work in the implicit flow are `query` and `form_post`. |
 | state |Recommended |A value included in the request that is returned in the token response.  It can be a string of any content that you want to use.  Usually, a randomly generated, unique value is used, to prevent cross-site request forgery attacks.  The state also is used to encode information about the user's state in the app before the authentication request occurred. For example, the page or view the user was on. |
 | nonce |Required |A value included in the request, generated by the app, that is included in the resulting ID token as a claim.  The app can then verify this value to mitigate token replay attacks. Usually, the value is a randomized, unique string that identifies the origin of the request. |
 | prompt |Required |To refresh and get tokens in a hidden iframe, use `prompt=none` to ensure that the iframe does not get stuck on the sign-in page, and returns immediately. |
@@ -246,4 +246,4 @@ This sample on GitHub is intended to help get you started with Azure AD B2C in a
 
 <!-- Links - EXTERNAL -->
 [github-hello-js-example]: https://github.com/azure-ad-b2c/apps/tree/master/spa/javascript-hellojs-singlepageapp-popup
-[github-hello-js]: https://github.com/MrSwitch/hello.js
+[github-hello-js]: https://github.com/MrSwitch/hello.js
