Open ronackman opened 2 years ago
Tracked internally with b/216852386.
Any updates on this?
Hi, thanks for filing this issue! We are unable to promise any timeline for this feature request, but adding a +1 to this will help us prioritize it on our roadmap.
Any updates on the feature request? Does this mean the methods mentioned in the docs https://firebase.google.com/docs/auth/web/microsoft-oauth would not work?
I'm coming from https://stackoverflow.com/questions/76727538/firebase-authentication-with-microsoft-error-proof-key-for-code-exchange-is-re/76815902#76815902
Just inspected the call to https://login.microsoftonline.com/common/oauth2/v2.0/authorize
with Burp Suite and it does not include the required code_challenge
param for SPAs.
It seems like this issue is only affecting applications set up as SPAs. In my case, I temporarily resolved it by changing my configuration from SPA to Web when registering a new platform in my application in the Azure Portal. While I am sure this might lead to other issues, especially if the web page actually in an SPA, it is a quick fix.
I did find that firebase/auth does allow you to set custom parameters with:
const provider = new OAuthProvider('microsoft.com');
provider.setCustomParameters({
code_challenge: '...',
});
But not sure what to set it to yet, will read more on the pkce RFC docs
@kdawgwilk you can generate a code challenge with codeVerifier
, that's true, but it wouldn't help much. The thing is that codeVerifier also has to be supported by the auth backend on the grant token
phase
any update ?
Recommended best practice for browser apps is authorization code flow with PKCE. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps Are there plans to build this into the Firebase auth library?