0

I am trying to authorize using Authorization Code grant flow for AzureAD from SwaggerUI for my .net core based API project but I am getting below error,

Error: Unauthorized, error: invalid_client, description: AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented.

Though my Client is not public, even I verified app-manifest, it has "allowPublicClient": false.

Setup Over AzureAD

  1. HostAPP
  2. ClientAPP

HostAPP has scopes exposed and same are added to ClientAPP under App Permissions.

ClientAPP has redirect-uri of swagger added under SPA as I am using authorization code grant type.

Note: Without supplying secret, I am able to authenticate but I want to make secret mandatory.

Same is reported by other user in question posted below but the answer is not clear yet even though it has accepted answer.

How to correctly configure ASP.NET Core 5 Swagger to work with Azure A/D authorization code authentication?

Edit:

I have Swagger redirect URL added in SPA and Postman redirect URL in Web.

enter image description here

Pinkesh Patel
  • 27
  • 9

1 Answers1

0

I tried to reproduce the same in my environment and got the results like below:

I registered application in Azure AD and added redirect URI under SPA:

enter image description here

When I tried to generate the access token, I got the same error like below:

enter image description here

To resolve the error, I added the redirect URI under Web by deleting the SPA and Save like below:

enter image description here

After modifying the changes, get the authorization code again and generate the access token like below:

enter image description here

So, try deleting the Swagger Redirect URL in SPA and add it under Web to get access token successfully as suggested in this SO Thread by Carl Zhao.

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • Moved Swagger redirect URL to Web and see this error => "auth errorError: Bad Request, error: invalid_request, description: AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Trace ID: 091c349b-01f2-49c8-a023-ae14ce168300 Correlation ID: 7e69deeb-5f9d-4c23-80f2-a8bc5b34d52f Timestamp: 2022-06-21 13:30:45Z" – Pinkesh Patel Jun 21 '22 at 13:31
  • In My case, able to generate token from Postman. From swaggerUI the question is posted. It would be helpful if you can try to configure AzureAD Auth Code flow for SwaggerUI. – Pinkesh Patel Jun 21 '22 at 13:43
  • Please check whether `replyUrlsWithType` in [**Manifest**](https://i.imgur.com/UtlhRMS.png) is updated to **Web** or not. Check this [blog](https://www.c-sharpcorner.com/article/enable-oauth-2-authorization-using-azure-ad-and-swagger-in-net-5-0/) that includes Enabling OAuth 2 Authorization Using Azure AD And Swagger In .NET 5.0 – Sridevi Jun 21 '22 at 14:16
  • Thanks for quick reply. I see that Manifest has been updated but still same error. The blog you shared is depicting implicit flow and I tried it, I am able to generate the token but the issue I am facing is for Auth Code flow. Can you please help on the same. – Pinkesh Patel Jun 21 '22 at 14:25
  • Just wanted to add it, that If I use Swagger redirect URL in SPA and if I try to authorize on swagger without providing secret then it is working. Shouldn't we pass secret while authenticating? – Pinkesh Patel Jun 22 '22 at 10:22
  • 1
    For **SPA**, you don't need to provide secret, and it won't work if you add. For Web apps, client secret is mandatory while using auth code flow. – Sridevi Jun 22 '22 at 10:25
  • You can check this **[MsDoc](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code)** that includes the parameters supported by SPA using auth code flow. It does n't support client_secret as a parameter. – Sridevi Jun 22 '22 at 10:34
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/245818/discussion-between-sridevimachavarapu-mt-and-pinkesh-patel). – Sridevi Jun 22 '22 at 12:23