-
Notifications
You must be signed in to change notification settings - Fork 842
Network Error when trying to use PKCE with Angular SPA and Azure Active Directory #1024
Comments
Can you provide more info on the request/response payload for the token endpoint HTTP call? |
@brockallen - Please find the information below (I have edited some of the tokens and GUIDs to remove potentially sensitive information -
Request Headers -
Response Headers -
Request Payload
Response Payload -
Here is the config which is being used in the code -
|
In Azure AD, is your app registered as a native / desktop app? Checking since last time I checked, In the portal, you can check this under The explanation is found here, on the item |
@jorgecarleitao - Yep. The redirect URI is set to "Public Client/Native". As mentioned above, the PKCE flow seems to work because I am getting the |
I was able to reproduce this issue on the vanilla example. I pushed the changes to reproduce the issue here. The steps to reproduce are:
This will cause the Network error that @blueelvis is describing. |
@jorgecarleitao thx for that. i'll have a look when i can |
I have some time, so I spent some time investigating this. My conclusion is that this is an error on the AD side. Some facts:
Overall, this explains why the browser receives the response with status 200 and the token, but it does not pass it down to the js: the server is telling it not to. So, it seems to me that Microsoft is not allowing CORS requests to the Could someone with more experience of this chip in and validate/refute this hypothesis? If valid, we should raise it on Microsoft side and close this issue. EDIT: To validate this hypothesis, I installed a Firefox extension to temporarily disable CORS checks, and I was able to get the response across and no error was shown. EDIT 2: upon further investigation, PKCE for SPA is not supported by Microsoft AD, as per this discussion and in particular this comment. I thus recommend that we close this as won't fix. |
This all sounds legit to me. I know they didn't support CORS on the discovery endpoint for the longest time. It'd not surprise me if they didn't support CORS on the token endpoint. |
I asked someone who might know: https://twitter.com/BrockLAllen/status/1209178114804375552 |
Ah, sorry -- I missed this last comment. Thanks for looking into it. |
@brockallen @jorgecarleitao - Thanks a lot guys for the detailed explanation and investigation on this! Just curious but is it possible to catch the situation particularly about the CORS and mention in the logs? Otherwise, the way the log is written, it seems quite something else. Happy new year! |
Well, from the http error you can't quite tell that's the exact reason. |
Hi!
I am trying to use this package for getting PKCE to work with an Angular SPA with Azure Active Directory.
I am using the following blog posts for reference -
response_type
tocode
) - https://www.scottbrady91.com/Angular/Migrating-oidc-client-js-to-use-the-OpenID-Connect-Authorization-Code-Flow-and-PKCEThe problem is that when I am using the Access Tokens or ID Tokens workflow, the setup is working fine and I am able to hit the backend API. But, when I change the
response_type
tocode
, I am getting aNetwork Error
like below -I checked the network tab and I seem to be successfully getting the Azure Active Directory Bearer Token using the PKCE flow but because of the above, I am not able to query the backend API. It spits out the error while doing the following -
Any idea what I might be doing wrong?
Thanks,
Pranav
The text was updated successfully, but these errors were encountered: