0

I was using the silent-flow example and everything worked out fine. But then I saw that I have created 2 (Web & SPA) platforms. So I decided to do a cleanup. As I thought I just use the Web platform, I just deleted the SPA. But then the trouble came as I'm now getting always an error when trying to login.

So this is the current state when I have only one platform enabled.

When using SPA:

setup 1

then I get

error 1

AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption.

And when I use Web:

setup 2

I get:

error 2

"xxx: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2021-03-03 09:59:07Z - Correlation ID: xxx - Trace ID: xxx"

Maybe I do not understand something, but I only need one platform, correct?

I also tested with both enabled but getting the same issue you see above. Is my Azure Portal buggy maybe? Because I did not change anything except removing and adding platforms.

And for sure the setting Allow public client flows is set to Yes.

kwoxer
  • 3,734
  • 4
  • 40
  • 70
  • Have you set the `allowPublicClient` to `true` from **manifest** in the Azure portal? – unknown Mar 03 '21 at 13:09
  • 1
    Is ```Allow public client flows``` the same like ```allowPublicClient```. If so the answer is ```Yes```. – kwoxer Mar 03 '21 at 13:14

3 Answers3

2

For a desktop application, the correct platform is neither Web or SPA, it's **Mobile and desktop applications".

enter image description here

For device code flow, you do need to setup a redirect URI, and set Allow client flow to Yes

Jean-Marc Prieur
  • 1,553
  • 11
  • 11
  • Mine is a web application, running in the browser. And as I already said ```Allow client flow``` is set to ```Yes```. – kwoxer Mar 03 '21 at 13:04
  • Not a good solution in my case, have a look above how I solved it :) – kwoxer Mar 05 '21 at 08:32
  • For a console application running on .NET 5 (or core 3+), refer to this article: https://learn.microsoft.com/en-us/dotnet/api/microsoft.identity.client.publicclientapplicationbuilder.withdefaultredirecturi?view=azure-dotnet Basically you call the .WithDefaultRedirectUri() on PublicClientApplicationBuilder and set Redirect URIs on Azure to http://localhost. – gimlichael Mar 11 '21 at 14:49
1

Yes you're right, you don't need both platforms. The Active Directory Platform to choose depends on the OpenID Connect Flow you want to use.

The Web Platform is used for Web Applications that run on the server. This way the server can store long lived secrets/tokens securely. The common flow for this scenario is the Authorization Code. Once a user logs into the application the server gets an authorization code and stores it for this particular user. Now everytime the user requests a resource the server exchanges the authorization code for a short lived token and uses it for the request. This last request needs a predefined secret, because otherwise everyone who intercepted the authorization code is able to issue tokens.

In case you're building a server side application you need to provide a secret to the server (it is commonly called client secret, because the server is the client of the authentication server). The secret can be generated in the "Certificates & secrets" section:

Certificates & Secrets

The example you provided above seems to be a sever side web application (serving handlebar templates over a node/express server).

The SPA Platform is used for Applications that run on public clients (like a web browser). Since we don't have a server that can maintain those secrets we have two options:

The latter one is preferred and works almost like the one above. With the exception that you need to provide a client generated secret (PKCE) in combination with the refresh token to gather access tokens. This added layer of security makes sure, that no other party in posession of the refresh token can issue access tokens unless they also stole your browser secret.

In case you're building a SPA I prefer you chose the Authorization Code + PKCE. The error message tells me that you setup your client authentication to Authorization Code, when in fact you need to setup the Authorization Code + PKCE flow. Your client app must provide a code challenge (the PKCE). Most oidc libraries support this out of the box.

chrsi
  • 992
  • 9
  • 24
1

Ok, I switched from PublicClientApplication to ConfidentialClientApplication and added the clientSecret to the config:

const publicClientConfig = {
  auth: {
    clientId: "xxx",
    authority: "https://login.microsoftonline.com/common",
    redirectUri: "http://localhost:3000/redirect",
    clientSecret: "xxx"
  },
  cache: {
    cachePlugin
  },
};

Then removed the SPA platform in Azure and added a fresh Web platform:

enter image description here

Now works without any issues again.

So the example silent-flow is outdated. Already mentioned it here.

kwoxer
  • 3,734
  • 4
  • 40
  • 70