Closed ZephyrZiggurat closed 1 month ago
Hi,
The redirect url is added as a SPA in Entra.
Is there any particular reason for choosing an SPA app? It would make sense if the OpenIddict client had a Browser/WASM integration, but it cannot currently be used in such apps (at least not yet 😄).
In Balosar, GitHub authentication is purely handled server-side, so the best application model to use in that case would be "Web".
Note: you can restrict the Origin-related configuration to the MSFT provider only:
options.UseSystemNetHttp()
.ConfigureHttpClient(Providers.Microsoft, client => client.DefaultRequestHeaders.Add("Origin", "x"))
.SetProductInformation(typeof(Startup).Assembly);
Thank you for the information! I registered it as an SPA/PKCE due to a bad assumption. MS recommends using PKCE auth codes but I didnt consider that the login is being performed from the server-side in the case of AddClient.
Are there any downsides to leaving it as a SPA?
MS recommends using PKCE auth codes but I didnt consider that the login is being performed from the server-side in the case of AddClient.
Don't assume .AddClient()
always means "server-side": the OpenIddict client can also be natively used in desktop and mobile apps thanks to its OpenIddict.Client.SystemIntegration
package (and in this case, the "native" application model is the best option).
Are there any downsides to leaving it as a SPA?
You can't define your app as a confidential client and so can't get a client secret. "Web" is really the best option for a web app.
Personal contribution
Version
5.7.0
Provider name
Microsoft
Describe the bug
I swapped out GitHub for Microsoft in the Balosar sample project, but i'm getting
The token request was rejected by the remote server.
.The redirect url is added as a SPA in Entra. I believe the only other change made during registration was adding profile/openid to the permissions.
I found this issue https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2482 that mentions an Origin header is required. I also found this blog that says the value Origin header can be anything: https://www.frodehus.dev/using-pkce-with-asp-net-core-webapp-and-azure-ad/
I made this additional change to the code:
and it worked beautifully.
So, my question now is: should the web provider send the Origin header or is this just a known issue/configuration that I missed?
To reproduce
Using the Balosar sample, all I did was swap out GitHub config for Microsoft:
The console shows:
Exceptions (if any)
No response