psignoret
commented
2 years ago This plugin already implements the Authorization Code Flow, and does not implement the Implicit flow.
Open hkusulja opened 2 years ago
psignoret
commented
2 years ago This plugin already implements the Authorization Code Flow, and does not implement the Implicit flow.
hkusulja
commented
2 years ago Oh, my bad then, thank you for the update, please confirm that we can safely move Azure AD Authentication from "Web" to "Single-page application" inside Azure AD portal. Thank you
psignoret
commented
2 years ago No, if you remove the redirect URL from "Web", the plugin will break. This is not a single-page application, so configuring the redirect URL like that would be inappropriate (and it would not work).
I've opened issue #252 to track adding support for PKCE, but the redirect URL would still be "web".
As per Azure AD App update and support, to increase security, please support new "Authorization Code Flow" with PKCE and CORS instead of the current "Implicit flow". Meaning also, in Azure AD App registration > Authentication setting - migrate from "Web" to "Single-page application" redirect URIs. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-types#single-page-apps-javascript.