MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/active-directory-b2c/active-directory-b2c-access-tokens.md
Lines changed: 7 additions & 7 deletions b/‎articles/active-directory-b2c/active-directory-b2c-access-tokens.md
Lines changed: 7 additions & 7 deletions
diff --git a/‎articles/active-directory-b2c/active-directory-b2c-reference-oauth-code.md
Lines changed: 33 additions & 53 deletions b/‎articles/active-directory-b2c/active-directory-b2c-reference-oauth-code.md
Lines changed: 33 additions & 53 deletions
diff --git a/‎articles/active-directory-b2c/active-directory-b2c-reference-oidc.md
Lines changed: 7 additions & 7 deletions b/‎articles/active-directory-b2c/active-directory-b2c-reference-oidc.md
Lines changed: 7 additions & 7 deletions
@@ -27889,6 +27889,11 @@
 			"redirect_url": "/azure/security/fundamentals/choose-ad-authn",
 			"redirect_document_id": true
 		},
+		{
+			"source_path": "articles/active-directory/authentication/howto-authentication-passwordless-enable.md",
+			"redirect_url": "/azure/active-directory/authentication/concept-authentication-passwordless",
+			"redirect_document_id": true
+		},
 		{
 			"source_path": "articles/active-directory/authentication/howto-authentication-phone-sign-in.md",
 			"redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-phone",
 
@@ -15,7 +15,7 @@ ms.subservice: B2C
 ---
 # Request an access token in Azure Active Directory B2C
 
-An *access token* contains claims that you can use in Azure Active Directory (Azure AD) B2C to identify the granted permissions to your APIs. When calling a resource server, an access token must be present in the HTTP request. An access token is denoted as **access_token** in the responses from Azure AD B2C. 
+An *access token* contains claims that you can use in Azure Active Directory (Azure AD) B2C to identify the granted permissions to your APIs. When calling a resource server, an access token must be present in the HTTP request. An access token is denoted as **access_token** in the responses from Azure AD B2C.
 
 This article shows you how to request an access token for a web application and web API. For more information about tokens in Azure AD B2C, see the [overview of tokens in Azure Active Directory B2C](active-directory-b2c-reference-tokens.md).
 
@@ -63,13 +63,13 @@ In the following example, you replace these values:
 - `<application-ID>` - The application identifier of the web application that you registered to support the user flow.
 - `<redirect-uri>` - The **Redirect URI** that you entered when you registered the client application.
 
-```
+```HTTP
 GET https://<tenant-name>.b2clogin.com/tfp/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize?
 client_id=<application-ID>
 &nonce=anyRandomValue
 &redirect_uri=https://jwt.ms
 &scope=https://tenant-name>.onmicrosoft.com/api/read
-&response_type=code 
+&response_type=code
 ```
 
 The response with the authorization code should be similar to this example:
@@ -80,9 +80,9 @@ https://jwt.ms/?code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...
 
 After successfully receiving the authorization code, you can use it to request an access token:
 
-```
+```HTTP
 POST <tenant-name>.onmicrosoft.com/oauth2/v2.0/token?p=<policy-name> HTTP/1.1
-Host: https://<tenant-name>.b2clogin.com
+Host: <tenant-name>.b2clogin.com
 Content-Type: application/x-www-form-urlencoded
 
 grant_type=authorization_code
@@ -95,7 +95,7 @@ grant_type=authorization_code
 
 You should see something similar to the following response:
 
-```
+```JSON
 {
     "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN...",
     "token_type": "Bearer",
@@ -109,7 +109,7 @@ You should see something similar to the following response:
 
 When using https://jwt.ms to examine the access token that was returned, you should see something similar to the following example:
 
-```
+```JSON
 {
   "typ": "JWT",
   "alg": "RS256",
 
@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 08/20/2019
+ms.date: 08/22/2019
 ms.author: marsma
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -28,7 +28,7 @@ Azure AD B2C extends the standard OpenID Connect protocol to do more than simple
 
 When your web application needs to authenticate the user and run a user flow, it can direct the user to the `/authorize` endpoint. The user takes action depending on the user flow.
 
-In this request, the client indicates the permissions that it needs to acquire from the user in the `scope` parameter, and specifies the user flow to run. Three examples are provided in the following sections (with line breaks for readability), each using a different user flow. To get a feel for how each request works, try pasting the request into a browser and running it. You can replace `fabrikamb2c` with the name of your tenant if you have one and have created a user flow. You will also need to replace `90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6`. Replace this client ID with the app ID of the application registration you had created. Also change the policy name (`{policy}`) to the policy name that you have in your tenant, for example `b2c_1_sign_in`.
+In this request, the client indicates the permissions that it needs to acquire from the user in the `scope` parameter, and specifies the user flow to run. To get a feel for how the request works, try pasting the request into a browser and running it. Replace `{tenant}` with the name of your tenant. Replace `90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6` with the app ID of the application you've previously registered in your tenant. Also change the policy name (`{policy}`) to the policy name that you have in your tenant, for example `b2c_1_sign_in`.
 
 ```HTTP
 GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?
@@ -44,7 +44,7 @@ client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6
 | Parameter | Required | Description |
 | --------- | -------- | ----------- |
 | {tenant} | Yes | Name of your Azure AD B2C tenant |
-| {policy} | Yes | The user flow that is run. It is the name of a user flow that's created in your Azure AD B2C tenant. The name of the user flow should begin with `b2c_1_`. For example: `b2c_1_sign_in`, `b2c_1_sign_up`, or `b2c_1_edit_profile`. |
+| {policy} | Yes | The user flow to be run. Specify the name of a user flow you've created in your Azure AD B2C tenant. For example: `b2c_1_sign_in`, `b2c_1_sign_up`, or `b2c_1_edit_profile`. |
 | client_id | Yes | The application ID that the [Azure portal](https://portal.azure.com/) assigned to your application. |
 | nonce | Yes | A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request. |
 | response_type | Yes | Must include an ID token for OpenID Connect. If your web application also needs tokens for calling a web API, you can use `code+id_token`. |
@@ -270,14 +270,14 @@ GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/
 | --------- | -------- | ----------- |
 | {tenant} | Yes | Name of your Azure AD B2C tenant |
 | {policy} | Yes | The user flow that you want to use to sign the user out of your application. |
-| id_token_hint| No | A previously issued ID token to pass to the logout endpoint as a hint about the end user's current authenticated session with the client. |
-| post_logout_redirect_uri | No | The URL that the user should be redirected to after successful sign out. If it isn't included, Azure AD B2C shows the user a generic message. |
+| id_token_hint| No | A previously issued ID token to pass to the logout endpoint as a hint about the end user's current authenticated session with the client. The `id_token_hint` ensures that the `post_logout_redirect_uri` is a registered reply URL in your Azure AD B2C application settings. |
+| post_logout_redirect_uri | No | The URL that the user should be redirected to after successful sign out. If it isn't included, Azure AD B2C shows the user a generic message. Unless you provide an `id_token_hint`, you should not register this URL as a reply URL in your Azure AD B2C application settings. |
 | state | No | If a `state` parameter is included in the request, the same value should appear in the response. The application should verify that the `state` values in the request and response are identical. |
 
-### Require ID token hint in logout request
+### Secure your logout redirect
 
 After logout, the user is redirected to the URI specified in the `post_logout_redirect_uri` parameter, regardless of the reply URLs that have been specified for the application. However, if a valid `id_token_hint` is passed, Azure AD B2C verifies that the value of `post_logout_redirect_uri` matches one of the application's configured redirect URIs before performing the redirect. If no matching reply URL was configured for the application, an error message is displayed and the user is not redirected.
 
-### External identity provider session
+### External identity provider sign-out
 
 Directing the user to the `end_session` endpoint clears some of the user's single sign-on state with Azure AD B2C, but it doesn't sign the user out of their social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they are reauthenticated without entering their credentials. If a user wants to sign out of the application, it doesn't necessarily mean they want to sign out of their Facebook account. However, if local accounts are used, the user's session ends properly.