I am thinking of upgrading the authentication flow in my angular app from implicit flow to authorization code flow with pkce. I am using Azure AD as the auth provider.
I didn't find documentation related to pkce flow for spa in Microsoft docs. Auth0 has already started supporting pkce from last year, wanted to know if Azure ad supports it. Or if it is in their future road map.
Microsoft have recently fixed the CORS issue. Changes required -
Change your redirect URI type to enable CORS. You can do this by going to the manifest editor for your app registration in the portal, finding the replyUrlsWithType section and changing the type of your redirect URI to SPA. This may remove the affected redirect URIs from the Web platform Authentication tab - that's OK! We are working on getting UI set up for this.
Yes. Azure AD plattform supports PKCE on both the v1.0 and v2.0 endpoints. But for SPA, e.g. Angular, it is not official supported by Microsoft. For Angular, there is only example for Implicit Flow.
https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-angular
Some other libraries support PKCE with AzureAD, e.g. https://github.com/damienbod/angular-auth-oidc-client. Example of using PCKE from autor: https://github.com/damienbod/AzureAD-Auth-MyUI-with-MyAPI
But not all features from user view are so perfect, e.g. by switching tabs, by some token refreshed. It would be better to check issue list and then to make the decision.
Previously I posted that PKCE was not supported but that is no longer the case. If it helps here is a PKCE code sample and blog post that will give readers something to compare against:
It should be possible to just reconfigure the JSON configuration files to get the sample working. Note however that I am using standards based certified libraries and not Microsoft specific libraries.
