Quote of the Day

more Quotes

Categories

Recent Posts

Top Posts

Buy me a coffee

  • Home>
  • security>
  • Obtain access token via authorization code grant with PKCE in angular using oidc-client-js and Microsoft Identity Platform.
Share
Tweet

Obtain access token via authorization code grant with PKCE in angular using oidc-client-js and Microsoft Identity Platform.

Published April 13, 2020 in Angular , Azure , Azure Active Directory , OAuth2 , OpenID Connect , security - 2 Comments

Recently, I learned about why implicit flow is not secure because of exposing the access token in the browser. Authorization code grant with PKCE is more secure and should be preferred over implicit flow for protecting a public application which cannot keep the client secret secure. The good new is if you already use oidc-client-js and get tokens from azure ad via implicit flow, the changes you have to make to use authorization code flow with PKCE are minimal. In this post, I show what you need to change to use authorization code grant with PKCE.

For code reference, checkout the sample project here.

Changes in app

  • In your angular application, set response_type for oidc-client-js to ‘code’. 
oidcSettings: {
    client_id : '{replace with client id you register for your angular app in azure ad}',
    authority: 'https://login.microsoftonline.com/{replace with your tenant id}/v2.0/',
    response_type: 'code',  
    post_logout_redirect_uri: 'http://localhost:4200/',
    loadUserInfo: false,
    redirect_uri: 'http://localhost:4200/',
    silent_redirect_uri: 'http://localhost:4200/',
    scope: '{replace with the scope you define in Expose API section of the app registration for your api in azure ad} openid profile'
  }

Changes in azure app registration

  • In the manifest of your angular app registration, set allowPublicClient to true and type under replyUrlsWithType section to Spa. 
{
  "id": "...",
  ....
  "allowPublicClient": true,
  ...
  "replyUrlsWithType": [
    {
      "url": "http://localhost:4200",
      "type": "Spa"
    }
  ],
  ...
}
  • Under Authentication, Advanced settings, set
    Treat application as a public client to Yes.
Set application as a public client to use authorization code with PKCE

That’s it. Although the changes are minimal, it took me a few hours to realize the changes i need to make in the manifest file to enable the grant. This is probably because support for authorization flow with PKCE is still new. Indeed, at the time of writing, the MSAL library for javascript just releases an alpha verison which has support for authorization code with PKCE.

MSAL.js support for authorization code flow with PKCE

References

Migrating oidc-client-js to use the OpenID Connect Authorization Code Flow and PKCE

Implement the OAuth 2.0 Authorization Code with PKCE Flow

Disadvantages of the Implicit Flow

Msal-browser releases

Tags: authorization code, authorization code grant with PKCE, Microsoft Identity Platform, msal.js, oidc-client-js
Related Posts

My experience in using GitHub Copilot in Visual Studio and Visual Studio Code.

Cache angular components using RouteReuseStrategy

Using MSAL angular to authenticate a user against azure ADB2C via authorization code flow with Proof Key for Code Exchange.

Displaying text in a tool tip when text overflows its container

Azure AD authentication in angular using MSAL angular v2 library

Common frameworks, libraries and design patterns I use

Rendering a PDF in angular that works with mobile browsers using ng2-pdf-viewer

Differences between a Promise and an Observable

2 comments

Previous post: Securely log to blob storage using NLog with connection string in key vault. Next post: How to detect iBeacons in a NativeScript-Angular app.