pkce / azureAd - SPA / AADSTS700025

[qmitchell-aa]

Hi

I'm trying to auth with azureAd with an existing app registration setup for SPA. I followed this,

https://httpyac.github.io/guide/variables.html#oauth2-openid-connect

When I provide the clientSecret I get: "AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented."

When I don't provide the clientSecret I get: "AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app"

Any tips? Feels like I shouldn't need to provide the clientsecret. Httpyac should just get the auth code , send auth code & clientId to get the token. Auth code flow shouldn't require the client to send a client secret. See: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#redirect-uris-for-single-page-apps-spas

[AnWeber]

I think you are using wrong flow. AuthorizationCode Flow does not send Client Secret (Code) Please Set Loglevel to Debug and verify which Flow is used. Or maybe it is already written to OutputChannel httpyac - Request

[qmitchell-aa]

Hi Andreas! Wanted to quickly say how much I appreciate your work, and if there's a way I can send you a free coffee or some other personal token of my appreciation. You Are Amazing :)

Here's a sanitized view of what I've got,

file.http

GET /x2/some-api
Authorization: openid authorization_code x2

myenv.env* (for when I don't provide client secret)

x2_clientId="xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
x2_tokenEndpoint="https://login.microsoftonline.com/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/oauth2/v2.0/token"
x2_authorizationEndpoint="https://login.microsoftonline.com/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/oauth2/v2.0/authorize"
x2_redirectUri="http://localhost:3000/callback"
x2_usePkce="true"

httpyac - Request

---------------------

POST https://login.microsoftonline.com/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/oauth2/v2.0/token
accept-encoding: gzip, deflate, br
authorization: Basic XXXXXXXXXXXXXXXXXXX
content-length: 1000
content-type: application/x-www-form-urlencoded
user-agent: got (https://github.com/sindresorhus/got)

grant_type=authorization_code&scope=opendid&code=XXXXXXXXXX&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&code_verifier=XXXXXXXXXXXXX

HTTP/1.1 401  - Unauthorized
cache-control: no-store, no-cache
connection: close
content-length: 623
content-type: application/json; charset=utf-8
date: Fri, 23 Aug 2024 14:29:40 GMT
expires: -1
p3p: CP="XXXXXXXXXXXX"
pragma: no-cache
set-cookie: fpc=XXXXXXXXXXXXX; expires=Sun, 22-Sep-2024 14:29:41 GMT; path=/; secure; HttpOnly; SameSite=None,x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly,stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-ms-ests-server: 2.1.18794.6 - NCUS ProdSlices
x-ms-request-id: XXXXXXXXXXXXXXXXXX
x-ms-srs: 1.P
x-xss-protection: 0

{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'xxxx-xxxx-xxxx-xxxx-xxxxxxx'. Trace ID:  Correlation ID:  Timestamp: ","error_codes":[7000215],"timestamp":"","trace_id":"","correlation_id":"","error_uri":"https://login.microsoftonline.com/error?code=7000215"}

[qmitchell-aa]

I was reading thru this issue: AnWeber/httpyac#1

And feeling like the client secret needs to be set in the .env file... but I'm kinda confused on why. Maybe httpyac doesn't support redirect URLs that were defined for SPA apps, but it does for Web apps. Also, the grid here: https://httpyac.github.io/guide/variables.html#oauth2-openid-connect , says that the clientSecret is required for auth code.

If I use a redirect URL defined for Web App, and put the client secret in, then I get a more promising error. I gotta talk with my IT dept to click "Grant admin consent for XXXX" and maybe that'll finish my journey here.

AADSTS65001: The user or administrator has not consented to use the application with ID ....

[qmitchell-aa]

@AnWeber - thank you for your time pondering Auth with me :) . I'm going to use WebApp + Authentication Code + Client Secret.

I was able to fix the above error AADSTS65001 by using the appropriate scope to gain 'user' consent.

[AnWeber]

@qmitchell-aa That's the beauty of oauth2. Easy to understand, but if you have to configure it, oh dear. Glad you got it working:-)

[AnWeber]

And feeling like the client secret needs to be set in the .env file

I went through the code again. yes, you are right client_secret is also sent.

Maybe httpyac doesn't support redirect URLs that were defined for SPA apps

httpyac requires a redirect Uri to localhost:3000. This is a design decision of mine. Postman or Intellij Http Client force the use of the own browser with which you intercept the redirect and thus determine the access token (Man-In-The-Middle). I didn't want to go this way, as it would also allow me to intercept the password. httpyac therefore really needs localhost:3000 as the redirect Uri. I open an Http server on this port and wait for the AccessToken.

[AnWeber]

Now I notice something again. SPA should not use Authorization Code Flows because the client secret can not saved securly (https://learn.microsoft.com/de-de/entra/identity-platform/v2-oauth2-auth-code-flow)

Therefore, the implicit flow would be more correct in this case. So either the way via WebApp + AuthorizationCode + Client Secret or SPA + Implicit Flow. In both cases, however, localhost:3000 is required as Redirect Uri

[qmitchell-aa]

Thank you! I figured out WebApp + AuthorizationCode + Client Secret.

I'm not confident about the SPA way, but I leave that up to the next person's journey.