CODEWITHSUNDEEP
azure-active-directoryblazor-webassembly.net-6.0duende-identity-server
TomMhC
TomMhC

Reputation: 133

Blazor WASM AzureAD IdentityServer results in AADSTS90023: Public clients can't send a client secret

I'm trying to get IdentityServer 6 in Blazor WASM (an Asp.Net hosted solution) to get to work with a Microsoft id but am running into the error message "AADSTS90023: Public clients can't send a client secret". I feel like I've tried every configuration I can think off but hopefully I still missed something.

The IdentityServer configuration uses the 'SPA' profile which I believe is correct for my scenario:

"IdentityServer": {
"Clients": {
  "Blazor.Client": {
    "ClientId": "Blazor.Client",
    "ClientName": "Blazor.Client",
    "Profile": "SPA",
    "RedirectUri": "https://localhost:15601",
    "LogoutUri": "https://localhost:15601"
  }
}

}

The configuration code follows the simplest example:

.AddMicrosoftAccount(options =>
            {
                options.ClientId = <clientId>;
                options.ClientSecret = <secret>
            })

Because these code snippets are basically the simplest way of doing this I'm assuming something is wrong with my AzureAD application registration but I can't figure out what. I've included the manifest:

{
"id": "<id>",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": false,
"appId": "<apiId>",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2021-12-10T09:21:08Z",
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [
    "api://<apiId>"
],
"informationalUrls": {
    "termsOfService": null,
    "support": null,
    "privacy": null,
    "marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "<name>",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
    "countriesBlockedForMinors": [],
    "legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
    {
        "customKeyIdentifier": null,
        "endDate": "2023-12-10T09:21:45.315Z",
        "keyId": "<keyId>",
        "startDate": "2021-12-10T09:21:45.315Z",
        "value": null,
        "createdOn": "2021-12-10T09:21:57.2927675Z",
        "hint": "H1f",
        "displayName": "<displayName>"
    }
],
"preAuthorizedApplications": [],
"publisherDomain": "<publisherDomain>.onmicrosoft.com",
"replyUrlsWithType": [
    {
        "url": "https://localhost:15602/signin-microsoft",
        "type": "Spa"
    }
],
"requiredResourceAccess": [
    {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
            {
                "id": "<someId>",
                "type": "Scope"
            }
        ]
    }
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null
}

Is this scenario not supported or am I doing something wrong?

EDIT: ultimately the problem lied in the redirect uri platform which should not be set to 'SPA' but to 'Web' because it isn't the client doing the authentication but the IdentityServer web service. The relevant part would be:

    "replyUrlsWithType": [
    {
        "url": "https://localhost:15602/signin-microsoft",
        "type": "Web"
    }

Upvotes: 1

Views: 452

Answers (1)

kavya Saraboju
kavya Saraboju

Reputation: 10831

  1. The client secret actually must be kept secret, i.e; you cannot put it in the website and use it from a public front-end .Client credentials flow design says the same.
  2. Blazor webassembly applications are called a 'public application' in oAuth/openid terms.

Note: According to microsoft docs:

Public clients (native applications and single page apps) must not use secrets or certificates when redeeming an authorization code - always ensure that your redirect URIs correctly indicate the type of application

  • So try to disable the requirement for the client secret on the IdP and refresh tokens since they can't also be handled in a secure/safe way.

  • The recommendation is that you use code+PKCE for public clients, which happens automatically when you set the response_type to code.

Reference: Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs

Upvotes: 1

Related Questions