Blazor WebAssembly Standalone authorization via AAD template does not (can not?) use authorization code flow (w/PKCE)... #23572
Labels
area-blazor
Includes: Blazor, Razor Components
enhancement
This issue represents an ask for new feature or an enhancement to an existing one
✔️ Resolution: Duplicate
Resolved as a duplicate of another issue
help wanted
Up for grabs. We would accept a PR to help resolve this issue
Status: Resolved
Milestone
Describe the bug
When creating a Blazor WASM Standalone SPA as described here: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-azure-active-directory?view=aspnetcore-3.1 , the application uses
implicit grant flow
as opposed to recommended and more secureauthorization code flow
.To Reproduce
https://localhost:5001/authentication/login-callback
dotnet new blazorwasm -au SingleOrg --client-id "{CLIENT ID}" --tenant-id "{TENANT ID}"
Exceptions (if any)
https://localhost:5001/authentication/login-failed?message=AADSTS700054:%20response_type%20%27id_token%27%20is%20not%20enabled%20for%20the%20application...
This exception is fixed when implicit flow is enabled but this is not the goal. The goal is to use the more secure authorization code flow.
Further technical details
The text was updated successfully, but these errors were encountered: