Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Feature Request] During auth code redemption, send `code_verifier` to /token endpoint as part of auth code + pkce
See original GitHub issueBackground For details, see the spec for auth code + pkce for public clients.
Auth code + pkce was originally implemented for public clients as they are susceptible to having the auth code intercepted. However, more and more confidential clients are wanting to implement pkce:
ASP NET Core surfaces the code_verifier in the AuthenticationProperties collection on the event context.
Part of this work is adding a client secret for the web app, in the templates, now as the secret will be used to verify the client.
Next Steps MSAL .NET needs to support auth code + pkce for confidential clients first, so that we can use it during auth code redemption. See issue here.
ASP NET starts the first leg of the auth code flow, and includes code_challenge and code_challenge_method to the /authorize endpoint.
Then, the second part, MS Identity Web, using MSAL, will need to send the code + code_verifier (which we will get in the AuthenticationProperties) so that the server can verify the original code_challenge.
We need to complete the work in MSAL .NET first. We can use the MSAL Java implementation for this.
Here is where the developer provides the code_challenge and code_challenge_method: https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java#L84
And where the developer passes in the code_verifier. https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/main/java/com/microsoft/aad/msal4j/AuthorizationCodeParameters.java#L47
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:21 (8 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@jmprieur , I checked out further, and the only way to make it work from the base template (updated nuget) is to do on the portal a spa registration, so @tedvanderveen is right. So I do not understand how you get it to work with the web option in azure? The portal even hapily displays “Your Redirect URI is eligible for the Authorization Code Flow with PKCE.” Here is the output manifest
Edit: Furthermore, the
options.ResponseType = OpenIdConnectResponseType.Code; options.Scope.Add(options.ClientId);need to be added in startup. SO I believe we disagree.@Ponant yes it just works!