Reputation: 121
Azure AD: Can I use an Authorization Code token to request an access token from a web service?
So, this is kind of related to the question here: How to enable CORS in an Azure App Registration when used in an OAuth Authorization Flow with PKCE?
I want to implement OAuth 2 for our single page JavaScript applications written in ExtJS. The server-side is written in .NET (4.6.2 currently) and has both JSON services used by the UI (implementing Ext.Direct) and SOAP services used for client integration.
We currently handle our own authentication which works quite similarly to the authorization code flow really. We login with a client id, username and password to get a token generation token (TGT), and then use this to request a short-lived product service token (PST). Requesting a PST extends the life of the TGT. When the TGT expires the user has to re-authenticate.
For the OAuth 2 route I obviously would like the user interface to direct people at the login page for Azure, the user to login there, with whatever MFA they may require, and then come back to the UI as a known user. I'm not bothered where I go for the product service token, although I think it makes sense to go to Azure if possible, since ultimately we'd like to move everyone in that direction I suspect.
So, I have wrapped some of the code above in an ExtJS class, and managed to retrieve a valid authorization token. So far so good. When I then attempt to request an access token I hit the same issue with CORS that the poster of that question did. I just cannot see how anyone can be using the Authorization Code with PKCE flow with Azure at the moment, since your application will never be hosted on the same domain used for login surely?!
Anyway. I'm wondering about my options. I'm wondering now if I can post the authorization code that gets passed back to the UI (with the PKCE code perhaps) up to the web services and get the web services to handle the communication with Azure for the access tokens. Does that stand more chance of success, or am I just going to hit the same problem there?
Implicit Flow is not an option. None of our clients will accept that.
What other options are there? Is there a purely server-side to Azure option that I should be using, and worry about the UI afterwards?
Struggling to see a way forward! Would appreciate any insights you may have.
Cheers, Westy
Upvotes: 0
Views: 2714
Answers (1)
Reputation: 121
Okay, after days of banging my head against the stupidity of Azure's implementation I stumbled upon a little hidden nugget of information here: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser#prerequisites
If you change the type of the redirectUri in the manifest from 'Web' to 'Spa' it gives me back an access token! We're in business! It breaks the UI in Azure, but so be it.
I hope this helps someone else going through similar pain. I'll also post on the linked thread :)
Upvotes: 1
Related Questions
- How to authenticate an access token which is obtained from azure ad b2c through an spa (react app), in a api (asp.net api)?
- azure ad how to authenticate using token passed from another application
- How do I authorize one Azure Active Directory app to access a different AAD App Service Web API using a Bearer token?
- Azure AD using token from client application in Web API
- Can we use Id token to access webapi
- Allow token based API access to some endpoints on Azure App Service
- Token based authentication for both Web App and Web API using Azure AD B2C
- Azure AD app-only access tokens for exchange impersonation
- Azure Active Directory Verify Access Token in Web Api outside of Azure
- Can the Azure AD OAuth 2 token endpoint take a kerberos token as auth code?