I'm new to Azure and I need to implement a login flow using Azure AD for an application where the frontend retrieve the code and the backend have to generate the access token from the code already generated

On the FE side I'm using react with @azure/msal-browser and my source code looks like :

    publicClientApp = new PublicClientApplication({
      auth: {
        clientId: azureConfig.clientId,
        authority: azureConfig.authority,
        redirectUri: azureConfig.redirectUrl,
      },
      cache: {
        cacheLocation: 'sessionStorage',
        storeAuthStateInCookie: false,
      },
    });
    await publicClientApp.loginRedirect({
      scopes: azureConfig.scopes,
      prompt: 'select_account',
    });

Then I recieve a code : code=0.AU4AxXIC70Ma9ESVBt5raWVI_yqY9ha1CQhMgMGmdTdc8tODAAA...

On the BE side I recieve this code and I need to generate the access token and get user claims. To do this I have my symfony project with thenetworg/oauth2-azure package installed, so my code looks like :

    $this->provider = new Azure([
        'clientId'          => $this->parameterBag->get('azure_client_id'),
        'clientSecret'      => $this->parameterBag->get('azure_client_secret'),
        'redirectUri'       => $this->parameterBag->get('azure_redirect_uri'),
        'scopes'            => ['openid'],
        'defaultEndPointVersion' => Azure::ENDPOINT_VERSION_2_0,
    ]);
    
    $token = $this->provider->getAccessToken('authorization_code', [
        'scope' => $this->provider->scope,
        'code' => $code,
    ]);

But I receive this error :

invalid_grant AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request.
Trace ID: 254744d9-ab7b-4c31-9dbe-0485bfd50501
Correlation ID: bb4a3ddf-6527-4b2c-98af-a124b66527d6
Timestamp: 2022-11-22 15:08:41Z

Any hint to get this done ?

CodePudding user response：

I tried to reproduce the same in my environment via Postman and got below results:

I registered one Azure AD application by selecting Single-page application in Redirect URIs like below:

It seems @azure/msal-browser library uses Authorization Code Flow with PKCE that needs code_challenge to get code for Single-page applications.

I manually generated code_challenge using PKCE Generator Tool like below:

To get code, I ran below authorization request in browser:

https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize?
client_id=AppID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=openid
&state=12345
&code_challenge=Nj9Youq443xUOCe_HsmBXJy5dKC8YsqlUdn1sga3CR0
&code_challenge_method=S256

When I ran the above request by signing in with admin credentials, I got consent screen like below:

After accepting the above consent, I got code in address bar as below:

When I tried to generate access token with below parameters via Postman, I got same error as below:

POST https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token

client_id:AppID
grant_type:authorization_code
client_secret:secret
scope:openid
code:code_from_above_request
redirect_uri:https://jwt.ms

Response:

To resolve the error, make sure to include code_verifier by removing client_secret if you are using Single-page application.

I got the tokens successfully when I included code_verifier like below:

POST https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token

client_id:AppID
grant_type:authorization_code
scope:openid
code:code
redirect_uri:https://jwt.ms
code_verifier:S256

Response

In your case, try including code_verifier parameter in your code while generating token.

If the issue still persists, try updating your msal-browser version to 2.11.0.

You can refer this GitHub issue by thoo1 for more details.