[Feature Request] During auth code redemption, send `code_verifier` to /token endpoint as part of auth code + pkce
See original GitHub issueBackground For details, see the spec for auth code + pkce for public clients.
Auth code + pkce was originally implemented for public clients as they are susceptible to having the auth code intercepted. However, more and more confidential clients are wanting to implement pkce:
ASP NET Core surfaces the code_verifier
in the AuthenticationProperties collection on the event context.
Part of this work is adding a client secret for the web app, in the templates, now as the secret will be used to verify the client.
Next Steps MSAL .NET needs to support auth code + pkce for confidential clients first, so that we can use it during auth code redemption. See issue here.
ASP NET starts the first leg of the auth code flow, and includes code_challenge and code_challenge_method to the /authorize endpoint.
Then, the second part, MS Identity Web, using MSAL, will need to send the code + code_verifier (which we will get in the AuthenticationProperties) so that the server can verify the original code_challenge.
We need to complete the work in MSAL .NET first. We can use the MSAL Java implementation for this.
Here is where the developer provides the code_challenge and code_challenge_method: https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java#L84
And where the developer passes in the code_verifier. https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/main/java/com/microsoft/aad/msal4j/AuthorizationCodeParameters.java#L47
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:21 (8 by maintainers)
Top GitHub Comments
@jmprieur , I checked out further, and the only way to make it work from the base template (updated nuget) is to do on the portal a spa registration, so @tedvanderveen is right. So I do not understand how you get it to work with the web option in azure? The portal even hapily displays “Your Redirect URI is eligible for the Authorization Code Flow with PKCE.” Here is the output manifest
Edit: Furthermore, the
options.ResponseType = OpenIdConnectResponseType.Code; options.Scope.Add(options.ClientId);
need to be added in startup. SO I believe we disagree.@Ponant yes it just works!