What is correct platform for using the PublicClientApplication, Web or SPA?

See original GitHub issue

Library

msal@1.x.x or @azure/msal@1.x.x
@azure/msal-browser@2.x.x
@azure/msal-node@1.x.x
@azure/msal-react@1.x.x
@azure/msal-angular@0.x.x
@azure/msal-angular@1.x.x
@azure/msal-angular@2.x.x
@azure/msal-angularjs@1.x.x

Framework

Angular
React
Other

Expected behavior

Login works.

Identity Provider

Azure AD
Azure B2C Basic Policy
Azure B2C Custom Policy
ADFS
Other

Browsers/Environment

Chrome
Firefox
Edge
Safari
IE
Other (Please add browser name here)

Regression

Did this behavior work before? Version:

Security

Is this issue security related?

Source

Internal (Microsoft)
Customer request

Description

I was using the silent-flow example and everything worked out fine. But then I saw that I have created 2 (Web & SPA) platforms. So I decided to do a cleanup. As I thought I just use the Web platform, I just deleted the SPA. But then the trouble came as I’m now getting always an error when trying to login.

So this is the current state when I have only one platform enabled.

When using SPA:

then I get

AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption.

And when I use Web:

I get:

“xxx: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.\r\nTrace ID: xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2021-03-03 09:59:07Z - Correlation ID: xxx - Trace ID: xxx”

Maybe I do not understand something, but I only need one platform, correct?

I also tested with both enabled but getting the same issue you see above. Is my Azure Portal buggy maybe? Because I did not change anything except removing and adding platforms.

And for sure the setting Allow public client flows is set to Yes.

Issue Analytics

State:
Created 3 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

pkanher617commented, Mar 4, 2021

As I said, in the silent-flow sample you should use the ConfidentialClientApplication constructor instead of PublicClientApplication. This is because your app is a web app, not a SPA. I’m also not sure why your app was working before, it may have been a bug. However your app is a Web app, so yes, you should only use the Web platform. Which means you need to support the Confidential Client flow. Set up a client_secret in your app registration, and then use that client secret in the configuration you pass to the ConfidentialClientApplication constructor.

0reactions

kwoxercommented, Mar 5, 2021

Ok strange, just tested another account and there it works:

grafik

and just tested on the just failed account and there it now also works. Very strange, maybe cachings.

Ok so please update that silent-flow as it does not work with the PublicClientApplication. I think this helps a lot when the example is correct and not even more confusing. 😃

Top Results From Across the Web

What is correct platform for using the PublicClientApplication ...

For a desktop application, the correct platform is neither Web or SPA, it's **Mobile and desktop applications". enter image description here.

Initialize MSAL.js client apps - Microsoft Entra

This article describes initializing the Microsoft Authentication Library for JavaScript (MSAL.js) with an instance of a user-agent application.

SPA Authorization Code · AzureAD/microsoft ... - GitHub

This feature is intended for applications that perform server-side (web apps) and browser-side (SPA) authentication, using a confidential SDK such as ...

How to implement OpenID Connect for single-page applications

In principle, a public client application is unable to hide any secrets ... You will also learn how to build a SPA using...

Create a new Single Page App (SPA) for patient search

Integrate and configure the Microsoft Authentication Library (MSAL) with your JavaScript SPA app to fetch data from protected FHIR web API. You need...