Azure AD B2C: Clients must send a client_secret when redeeming a confidential grant

Asked 3/12, 2019 at 18:49 Answered 22/3, 2022 at 6:38

Solved angular openid-connect azure-ad-b2c oidc-client

I try to setup authentification for an Angular app using authorization code and Azure AD B2C (oidc-client on client side), but I'm getting these errors from Angular:

After looking in B2C audit logs, I found this error message:

Clients must send a client_secret when redeeming a confidential grant.

Here's my client side configuration:

const settings = {
  stsAuthority: 'https://supportodqqcdev.b2clogin.com/supportodqqcDev.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignUpSignInOdqPlatine',
  clientId: '8447df5b-35a0-40a7-944f-5dcce87a2193',
  clientRoot: 'https://localhost:4200',
  scope: 'openid https://supportodqqcDev.onmicrosoft.com/platineclientdev/read',
};
this.userManager = new UserManager({
  authority: settings.stsAuthority,
  client_id: settings.clientId,
  redirect_uri: `${settings.clientRoot}/signin-callback`,
  scope: settings.scope,
  response_type: 'code',
  post_logout_redirect_uri: `${settings.clientRoot}/signout-callback`,
  automaticSilentRenew: true,
  silent_redirect_uri: `${settings.clientRoot}/assets/signin-silent-callback.html`,
});

If I switch the above configuration to use a local IdentityServer instance, everthings works has expected.

Is someone able to point me out where or how I should investigate this?

Simulator answered 3/12, 2019 at 18:49 Comment(2)

Who will redeem code for you? I guess you are using SPA and trying to integrate Auth Code flow. If you are using SPA then you must use implicit flow. B2C is showing client_secret is must because it needs that to redeem code. replace response_type value with 'token' and see what it is doing – Zebu 4/12, 2019 at 1:47

B2C currently supporting PKCE flow for Native Applications but not for Web. Native Applications can redeem auth code by using PKCE flow but not web applications. – Zebu 5/12, 2019 at 10:43

I had the exact same issue as you and was just able to resolve it.

AD is requesting the client_secret from you, because it isn't configured for PKCE yet. To tell AD that you want to use PKCE for a specific redirect url you need to set its type from 'Web' to 'Spa'. This can be done in the manifest.

Search for the property replyUrlsWithType in the Manifest and look for your .../signin-callback url. Change its type to 'Spa' and you should be good.

eg.:

"replyUrlsWithType": [
    {
        "url": "http://localhost:8080/signin-callback",
        "type": "Spa"
    },
]

The configured url will now disappear from your Authorization page but thats ok -> it's still present in the Manifest. The MS team is working on this new type.

Also make sure you marked your application as a public client.

For more information, see my answer here: Is Active Directory not supporting Authorization Code Flow with PKCE?

Trochelminth answered 17/4, 2020 at 13:10 Comment(0)

In the Azure AD B2C App there is now a simpler option to do that. In the Authentication tab where the Web Redirect URIs are you will probably see a message This app has implicit grant settings enabled. If you are using any of these URIs in a SPA with MSAL.js 2.0, you should migrate URIs. When you click that, a new window will let you choose which Redirect URI you want to move to the SPA Redirect URIs instead:

After that just click Configure and it should work. The Redirect URI will now be located in the SPA section instead of the Web one.

Azelea answered 30/8, 2021 at 10:8 Comment(0)

Your image shows a CORS error.

I'm not sure if oidc-client works OOTB with B2C. It's more for identityserver.

Have a look at the msal.js sample.

Yerga answered 3/12, 2019 at 20:26 Comment(1)

Thanks I know MSAL. I thought oidc-client was working with any STS? – Inextensible 4/12, 2019 at 1:8

I suspect that your code is fine but ...

The last I heard, Azure AD does not allow cross origin calls to the token endpoint - and therefore does not support the Authorization Code Flow (PKCE) that SPAs should use in 2019.

Unless I'm mistaken this will mean you need to use the (unrecommended) implicit flow when integrating with Azure AD. There have been problems for SPAs for a couple of years now.

Out of interest I wrote a couple of posts on Azure SPA workrounds a couple of years ag - I suspect some of this is still relevant: https://authguidance.com/2017/11/30/azure-active-directory-setup/

Hegyera answered 3/12, 2019 at 20:30 Comment(9)

When I get the well known config at

https://supportodqqcdev.b2clogin.com/supportodqqcDev.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignUpSignInOdqPlatine

, code is included in the supported response types. It doesn't meen that Authorization Code Flow is supported? – Inextensible 4/12, 2019 at 1:11

In theory, it should but there are differences. You'll probably find msal.js won't work OOTB with identityserver. Also, I think that MSAL.js uses implicit flow not authorisation code grant. – Yerga 4/12, 2019 at 1:25

@MaximeGélinas, you should not use Auth Code flow for SPA apps, out of the box B2C supports Auth Code flow from SPA apps but we should not use that because of high security risk (risk is because, you need to expose client id and secret in client script and any one can easily read that from web). – Zebu 4/12, 2019 at 1:52

@Zebu Authz Code Flow is the new way for SPA. Implicit flow is deprecated since summer 2019. See: pluralsight.com/courses/openid-and-oauth2-securing-angular-apps. – Inextensible 4/12, 2019 at 13:9

Just to be clear - Authorization Code Flow (PKCE) is recommended for SPAs and Maxime's code looks fully correct. But Azure AD incorrectly block the request to the token endpoint. I would aim to resolve it by double hopping the request to the token endpoint via a back end API. I will update my sample to do this when I get some time. – Hegyera 5/12, 2019 at 8:10

PKCE is fully supported - and of course the client secret only needs to be supplied for web apps - not for SPAs: learn.microsoft.com/en-us/azure/active-directory/develop/… – Hegyera 5/12, 2019 at 8:23

Hmm - Microsoft articles still indicate that only (unrecommended) implicit flow is supported - as in my sample above: learn.microsoft.com/en-us/azure/active-directory/develop/… – Hegyera 5/12, 2019 at 8:32

So worst case scenario set response type to token id_token and you'll get your app working - as in my sample. This will not affect code in other parts of your SPA: github.com/gary-archer/authguidance.websample.azure/blob/master/… – Hegyera 5/12, 2019 at 8:34

I also agree with your choice of oidc client library - the best option out there - and enables you to easily switch your app to a different authorization server if needed. – Hegyera 5/12, 2019 at 8:37

In few comments, I read it as 'ADB2C currently supporting PKCE flow for Native Applications but not for Web', I know it's bit old discussion thread but I just wanted to inform that currently PKCE is recommended for all applications including web application.

Source

Downall answered 22/3, 2022 at 6:38 Comment(0)

Recommended topics

Hot tags