Support for Custom Headers in OAuth 2.0 Authorization Code Flow

usebruno / bruno

Opensource IDE For Exploring and Testing Api's (lightweight alternative to postman/insomnia)

https://www.usebruno.com/

MIT License

26.73k stars 1.23k forks source link

Support for Custom Headers in OAuth 2.0 Authorization Code Flow #1785

Open giuseppemilicia opened 7 months ago

giuseppemilicia commented 7 months ago

In the OAuth 2.0 Authorization Code Flow, certain Identity Providers like Microsoft require specific headers during the access token call. Without these headers, requests fail with errors like AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.

Developers should be able to include custom headers, such as Origin, when making the access token call, ensuring seamless integration with Identity Providers that require specific headers.

Semour81 commented 6 months ago

In Postman you can configure custom headers for authorization requests. This allows you to set Origin header for Authorization Code flow (with PKCE). Without that header, there is no way (that I know) to avoid AADSTS9002327 error. This means you can't get a valid access token in Bruno for such scenario. Need to stick to Postman, unfortunately.

Adding similar functionality then in Postman in Bruno would be highly appreciated.

ChristophFiechter commented 2 months ago

It also works in Bruno. Just manually set a header "origin" in your request and then the Authorization Code Flow with PKCE works for Microsoft for example.