MSAL NodeJS authentication error for WebApp and SPA

Library

• msal@1.x.x or @azure/msal@1.x.x
• @azure/msal-browser@2.x.x
• @azure/msal-angular@0.x.x
• @azure/msal-angular@1.x.x
• @azure/msal-angularjs@1.x.x
• @azure/msal-node@1.0.0-alpha.0

Important: Please fill in your exact version number above, e.g. msal@1.1.3.

Framework

NodeJS - KoaJS

Description

I integrated msal-node with a NodeJS server following this example: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/samples/msal-node-samples/auth-code/index.js

BTW, the app is NodeJS REST API server + ReactJS SPA served by the same server and I need to auth users with Azure AD only for calling my REST API, no need to call MS Graph API or similar, so should I use MSAL.js or there’s a better solution?

Error Message

If I register my app in Azure AD as Web app, I have an error of missing client_secret, otherwise if I register it as SPA I get AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption.

Security

• Is this issue security related?

Regression

• Did this behavior work before? Version:

MSAL Configuration

// Provide configuration values here.
// For Azure B2C issues, please include your policies.

Reproduction steps

// Provide relevant code snippets here.
// For Azure B2C issues, please include your policies.

Expected behavior

Browsers/Environment

• Chrome
• Firefox
• Edge
• Safari
• IE
• Other (Please add browser name here)