Enable `AuthorizationCodeCredential` for `PublicClientApplication`

sreeise / graph-rs-sdk

Microsoft Graph API Client And Identity Platform Client in Rust

MIT License

114 stars 30 forks source link

Enable `AuthorizationCodeCredential` for `PublicClientApplication` #493

Closed Jeadie closed 1 month ago

Jeadie commented 2 months ago

When using graph-rs-sdk for authentication a PublicClientApplication with AuthorizationCodeCredential, I ran into several issues.
Only functional change is in impl TokenCredentialExecutor for AuthorizationCodeCredential's fn form_urlencode. We no longer check for a missing or empty client_secret, as per docs,'required for confidential web apps... Don't use the application secret in a native app or single page app because a client_secret can't be reliably stored on devices or web pages.' (see https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret).

sreeise commented 2 months ago

@Jeadie I think I see what the issue is. You want to use a spa based public client via authorization code credential. Your access token and refresh token both come on the redirect. But your AuthorizationCodeCredential doesn't use a client secret in this type of flow. This would be the implicit flow but this has also been changed to be the Auth code flow with PKCE. Is this correct?

Can you please provide an description of what it is you are expecting to happen and the walk through of the flow your using exactly?

I think what your looking for is detailed here right? https://learn.microsoft.com/en-us/entra/identity-platform/reference-third-party-cookies-spas#overview-of-the-solution

sreeise commented 2 months ago

@Jeadie Take a look at https://github.com/sreeise/graph-rs-sdk/pull/495

This adds a credential for Spa applications using a public client.

Jeadie commented 2 months ago

We're attempting to have users (running a tool locally), retrieve a AuthorizationCodeCredential via a redirect_url to a server running locally in the tool. Users cannot have access to a client_secret or equivalent.

sreeise commented 1 month ago

We're attempting to have users (running a tool locally), retrieve a AuthorizationCodeCredential via a redirect_url to a server running locally in the tool. Users cannot have access to a client_secret or equivalent.

Gotcha. Thanks for the response. I beleive #495 should solve this issue still. In that PR I made the PKCE required because thats what the auth flow says is required. But if its allowing you to do so without it I can make it optional. Let me know.

sreeise commented 1 month ago

Closing this out as the other work I mentioned got merged and I havn't heard anything back here. Let me know if there is an issue going forward.