4

I tried to use the currently recommended Authorization Code Flow with PKCE to gather an access token from Active Directory. The client will be a public Angular SPA which is the reason for the chosen flow.

Gathering the openid-configuration form AD as well as the Authorization Code for a user worked well. But I fail requesting the access token from the following endpoint:

https://login.microsoftonline.com/{tenantId}/oauth2/token.

I tried to reconstruct the request in Postman:

POST /7e8c2868-7490-4dd7-82b7-f5ec29222d30/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=authorization_code
code=...
code_verifier=...
client_id=...
redirect_uri=...

...and end up with the following message:

{
  "error": "invalid_client",
  "error_description": "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: ed0413ad-89f1-4a2b-8d68-e23498701800\r\nCorrelation ID: deb53b0d-5398-4f72-a9a5-6c0863547b99\r\nTimestamp: 2020-03-06 09:30:36Z",
  "error_codes": [
    7000218
  ],
  "timestamp": "2020-03-06 09:30:36Z",
  "trace_id": "ed0413ad-89f1-4a2b-8d68-e23498701800",
  "correlation_id": "deb53b0d-5398-4f72-a9a5-6c0863547b99",
  "error_uri": "https://login.microsoftonline.com/error?code=7000218"
}

This seems odd, since the official specification of the Authentication Flow with PKCE doesn't require a client_secret or client_assertion. This is only required for the default Authentication Flow.

Is there something wrong with the AD implementation or have i misconfigured it?

The manifest of the web client looks like this:

{
  "id": "...",
  "acceptMappedClaims": null,
  "accessTokenAcceptedVersion": null, 
  "addIns": [],
  "allowPublicClient": true,
  "appId": "...",
  "appRoles": [],
  "oauth2AllowUrlPathMatching": false,
  "createdDateTime": "...",
  "groupMembershipClaims": null,
  "identifierUris": [],
  "informationalUrls": {
    "termsOfService": null,
    "support": null,
    "privacy": null,
    "marketing": null
  },
  "keyCredentials": [],
  "knownClientApplications": [],
  "logoUrl": null,
  "logoutUrl": null,
  "name": "...",
  "oauth2AllowIdTokenImplicitFlow": false,
  "oauth2AllowImplicitFlow": false,
  "oauth2Permissions": [],
  "oauth2RequirePostResponse": false,
  "optionalClaims": null,
  "orgRestrictions": [],
  "parentalControlSettings": {
    "countriesBlockedForMinors": [],
    "legalAgeGroupRule": "Allow"
  },
  "passwordCredentials": [],
  "preAuthorizedApplications": [],
  "publisherDomain": "...",
  "replyUrlsWithType": [
    {
        "url": "http://localhost:4200",
        "type": "Web"
    }
  ],
  "requiredResourceAccess": [
    {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
            {
                "id": "...",
                "type": "Scope"
            }
        ]
    }
  ],
  "samlMetadataUrl": null,
  "signInUrl": null,
  "signInAudience": "AzureADMyOrg",
  "tags": [],
  "tokenEncryptionKeyId": null
}

And my application is registered as a public app in AD.

The Authentication request that was sent prior to that looked like this:

GET /.../oauth2/authorize
  response_type=code
  &client_id=...
  &state=...
  &redirect_uri=http%3A%2F%2Flocalhost%3A4200
  &scope=openid%20user_impersonation%20offline_access
  &code_challenge=...
  &code_challenge_method=...
  &nonce=...

Host: login.microsoftonline.com
chrsi
  • 992
  • 9
  • 24
  • Chrsi, how does the auth request URL look like? Did you correctly specify `code_challenge` and `code_challenge_method` parameters? Can you add this info to the question? – Ján Halaša Mar 06 '20 at 12:17
  • Good catch. Updated the question and it lookes like the `code_challenge` and `code_challenge_method` are not present. So it might be interpreted as a normal authentication code flow by ad – chrsi Mar 06 '20 at 12:40
  • Oh no ... I captured the wrong authorize request. Edited the question again. It actually does include the challenge. – chrsi Mar 06 '20 at 12:47

1 Answers1

7

Update 2021

Microsoft finally updated their portal, so we now have a UI to properly configure the Authorization Code Flow with PKCE.

All you have to do is open the Authentication-page of your registered AAD Application. There you can add a new Platform by clicking the button on the left: Add a SPA platform to your AAD App

Select the new Single-page application tile and enter your redirect urls.

Previous Answer (Manifest)

I just found the answer in the @azure/msal-browser package. At the moment Azure AD seems to be working on supporting this auth flow. To activate it you must set a new type for the redirection urls, that they just recently added.

To use the Authorization Code Flow with PKCE with Azure Active Directory you need to:

  1. Set add a web plattform to your azure ad application and add your redirect urls.
  2. Change the type of those redirect urls from 'Web' to 'Spa'. This must be done in the Manifest. Changing it will make the urls disappear from the Authentication Page. But that's ok, since it's still present in the Manifest.
  3. Treat the web app as a public client (Authentication > Advanded settings > Default client type - 'Yes').

Now the token endpoint doesn't require a client_secret or client_assertion anymore.

chrsi
  • 992
  • 9
  • 24
  • 1
    That hack does not work for me. Also now that SPA setting is available in general. So the hack is not needed anymore. – kwoxer Mar 03 '21 at 14:48
  • 1
    @kwoxer thanks for pointing it out. Yes, they finally updated the Azure Portal where SPA platforms can now be added via the UI. I updated the answer accordingly. But just to clarify, editing the manifest is no "hack". Adding the SPA platform in the UI ist just a user friendly way to update the manifest :) – chrsi Mar 04 '21 at 15:11
  • That's true. Maybe you have an idea about my issue that is kind of very similar to this one and I think it must be a bug somehow as it already worked out until I played around with the platforms: https://stackoverflow.com/questions/66454849/what-is-correct-platform-for-using-the-publicclientapplication-web-or-spa – kwoxer Mar 04 '21 at 19:44