Closed mateokurti closed 1 year ago
I came here because I'm using allauth to help a customer setup a MS oauth login and I encounter a PKCE error.
The exact error code is
AADSTS9002325: Proof Key for Code Exchange is required for for cross-origin authorization code redemption.
Is this the same issue as yours, @mateokurti ?
I also note that the standard Azure python library has a method to help generate the pkce identifier https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/e94dda5f8140673e55e2cd825174ee98d886857e/msal/oauth2cli/oauth2.py#L475
and i think Azure move to what they call the auth code flow away from the previous implicit grant flow because going forward, third party browser cookies will be impacted. See https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow#prefer-the-auth-code-flow
and I quote
With the plans for third party cookies to be removed from browsers, the implicit grant flow is no longer a suitable authentication method. The silent SSO features of the implicit flow do not work without third party cookies, causing applications to break when they attempt to get a new token. We strongly recommend that all new applications use the authorization code flow that now supports single page apps in place of the implicit flow, and that existing single page apps begin migrating to the authorization code flow as well.
And this auth code flow will definitely require pkce identifier to support the use without 3rd party cookies for oauth login
I also note that other providers also need the same PKCE setup but they made it optional. For e.g. AWS Cognito also uses code_challenge and code_challenge_method query params for PKCE but they made them optional https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
Added via c1b8fe5e
When redeeming a code for an access token using a client_secret, according to the Microsoft Documentation it is recommended to send the code_verifier as a parameter. However, when using a code_challenge with SHA256 as code_challenge_method, it seems to be necessary to also send the code_verifier.
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#redeem-a-code-for-an-access-token
I tried to send the token request using the default configuration of OAuth2 Provider, but Microsoft responded with the following errors:
or
It was this blog post which made me realise the problem. It is in Japanese, but I think it can be easily translated.
I modified the
get_access_token
method underallauth.socialaccount.provider.oauth2.client.py
and afterclient_secret
also added the"code_verifier": self.consumer_secret
on the data that were sent, and this seemed to fix the issue.I think this is a necessary change for Azure AD, but I am not sure if this might conflict with other providers.