Azure AD B2C: Clients must send a client_secret when redeeming a confidential grant

生来就可爱ヽ(ⅴ<●) 提交于 2020-06-17 14:15:57

问题


I try to setup authentification for an Angular app using authorization code and Azure AD B2C (oidc-client on client side), but I'm getting these errors from Angular:

After looking in B2C audit logs, I found this error message:

Clients must send a client_secret when redeeming a confidential grant.

Here's my client side configuration:

const settings = {
  stsAuthority: 'https://supportodqqcdev.b2clogin.com/supportodqqcDev.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignUpSignInOdqPlatine',
  clientId: '8447df5b-35a0-40a7-944f-5dcce87a2193',
  clientRoot: 'https://localhost:4200',
  scope: 'openid https://supportodqqcDev.onmicrosoft.com/platineclientdev/read',
};
this.userManager = new UserManager({
  authority: settings.stsAuthority,
  client_id: settings.clientId,
  redirect_uri: `${settings.clientRoot}/signin-callback`,
  scope: settings.scope,
  response_type: 'code',
  post_logout_redirect_uri: `${settings.clientRoot}/signout-callback`,
  automaticSilentRenew: true,
  silent_redirect_uri: `${settings.clientRoot}/assets/signin-silent-callback.html`,
});

If I switch the above configuration to use a local IdentityServer instance, everthings works has expected.

Is someone able to point me out where or how I should investigate this?


回答1:


I had the exact same issue as you and was just able to resolve it.

AD is requesting the client_secret from you, because it isn't configured for PKCE yet. To tell AD that you want to use PKCE for a specific redirect url you need to set its type from 'Web' to 'Spa'. This can be done in the manifest.

Search for the property replyUrlsWithType in the Manifest and look for your .../signin-callback url. Change its type to 'Spa' and you should be good.

eg.:

"replyUrlsWithType": [
    {
        "url": "http://localhost:8080/signin-callback",
        "type": "Spa"
    },
]

The configured url will now disappear from your Authorization page but thats ok -> it's still present in the Manifest. The MS team is working on this new type.

Also make sure you marked your application as a public client.

For more information, see my answer here: Is Active Directory not supporting Authorization Code Flow with PKCE?




回答2:


Your image shows a CORS error.

I'm not sure if oidc-client works OOTB with B2C. It's more for identityserver.

Have a look at the msal.js sample.




回答3:


I suspect that your code is fine but ...

The last I heard, Azure AD does not allow cross origin calls to the token endpoint - and therefore does not support the Authorization Code Flow (PKCE) that SPAs should use in 2019.

Unless I'm mistaken this will mean you need to use the (unrecommended) implicit flow when integrating with Azure AD. There have been problems for SPAs for a couple of years now.

Out of interest I wrote a couple of posts on Azure SPA workrounds a couple of years ag - I suspect some of this is still relevant: https://authguidance.com/2017/11/30/azure-active-directory-setup/



来源:https://stackoverflow.com/questions/59163544/azure-ad-b2c-clients-must-send-a-client-secret-when-redeeming-a-confidential-gr

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!