Azure AD B2C: Clients must send a client_secret when redeeming a confidential grant

Question

I try to setup authentification for an Angular app using authorization code and Azure AD B2C (oidc-client on client side), but I\'m getting these errors from Angular:

<

Answer 1

I suspect that your code is fine but ...

The last I heard, Azure AD does not allow cross origin calls to the token endpoint - and therefore does not support the Authorization Code Flow (PKCE) that SPAs should use in 2019.

Unless I'm mistaken this will mean you need to use the (unrecommended) implicit flow when integrating with Azure AD. There have been problems for SPAs for a couple of years now.

Out of interest I wrote a couple of posts on Azure SPA workrounds a couple of years ag - I suspect some of this is still relevant: https://authguidance.com/2017/11/30/azure-active-directory-setup/