5

I am thinking of upgrading the authentication flow in my angular app from implicit flow to authorization code flow with pkce. I am using Azure AD as the auth provider.

I didn't find documentation related to pkce flow for spa in Microsoft docs. Auth0 has already started supporting pkce from last year, wanted to know if Azure ad supports it. Or if it is in their future road map.

Prateek Kumar Dalbehera
  • 2,194
  • 3
  • 24
  • 30

4 Answers4

9

Azure AD supports PKCE on both the v1.0 and v2.0 endpoints.

You can find the v2.0 documentation here and the v1.0 documentation here.

Community
  • 1
  • 1
Hari Krishna
  • 2,372
  • 2
  • 11
  • 24
1

Microsoft have recently fixed the CORS issue. Changes required -

Change your redirect URI type to enable CORS. You can do this by going to the manifest editor for your app registration in the portal, finding the replyUrlsWithType section and changing the type of your redirect URI to SPA. This may remove the affected redirect URIs from the Web platform Authentication tab - that's OK! We are working on getting UI set up for this.

Source: https://www.npmjs.com/package/@azure/msal-browser

Karan Tikku
  • 197
  • 12
  • Thanks, I have already done the changes in the application manifest and PKCE is working as expected in my angular application. Actually, I am using OIDC-client-js library and integration was much easier. Thanks – Prateek Kumar Dalbehera May 11 '20 at 10:58
0

Previously I posted that PKCE was not supported but that is no longer the case. If it helps here is a PKCE code sample and blog post that will give readers something to compare against:

It should be possible to just reconfigure the JSON configuration files to get the sample working. Note however that I am using standards based certified libraries and not Microsoft specific libraries.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Now, I am able to implement PKCE in my Angular app using Azure AD & OIDC. – Prateek Kumar Dalbehera May 11 '20 at 11:23
  • @PrateekKumarDalbehera can you please let me know how you did it thanks – Lenzman Apr 14 '21 at 19:15
  • @JeffinJ - any standards based library should work - I've updated my post with a link to a code sample and blog post in case useful. – Gary Archer Apr 14 '21 at 19:32
  • @GaryArcher Hi, thanks for your help. Can you please check my [post](https://stackoverflow.com/q/66954353/11152084). I have put a bounty on it. – Lenzman Apr 15 '21 at 03:48
  • If you are building an SPA with an interactive user you should use Authorization Code Flow (PKCE) and redirect the user to sign in, according to [OAuth for Browser Based Apps](https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07#section-7). In your question, could you describe why you are trying to get a token without a user redirect. That feels like a solution that would fail security reviews, due to any user being able to get the secret via browser tools - but maybe I'm misunderstanding. – Gary Archer Apr 15 '21 at 06:58
0

Yes. Azure AD plattform supports PKCE on both the v1.0 and v2.0 endpoints. But for SPA, e.g. Angular, it is not official supported by Microsoft. For Angular, there is only example for Implicit Flow.

https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-angular

Some other libraries support PKCE with AzureAD, e.g. https://github.com/damienbod/angular-auth-oidc-client. Example of using PCKE from autor: https://github.com/damienbod/AzureAD-Auth-MyUI-with-MyAPI

But not all features from user view are so perfect, e.g. by switching tabs, by some token refreshed. It would be better to check issue list and then to make the decision.

Jie
  • 427
  • 5
  • 12