Make Entra app-registration flow secretless (public PKCE)
The register flow exchanged the auth code as a confidential client (Oidc:ClientId + Oidc:ClientSecret), requiring a pre-provisioned backing app with a secret. Drop client_secret from the exchange so it uses PKCE only — the backing app is now a public client and no secret touches the client-tenant register/connect flows. The toolbox's own OIDC sign-in still uses Oidc:ClientSecret (unchanged). Also enable user-secrets (UserSecretsId) so Oidc config stays out of the committed appsettings.json. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -133,15 +133,13 @@ public static class OAuthEndpoints
|
||||
|
||||
if (flowState.IsRegistration)
|
||||
{
|
||||
// ── Registration flow: confidential client exchange (OIDC app + secret) ──
|
||||
var oidcClientId = config["Oidc:ClientId"]!;
|
||||
var oidcClientSecret = config["Oidc:ClientSecret"]!;
|
||||
// ── Registration flow: public client exchange (PKCE only, no secret) ──
|
||||
var oidcClientId = config["Oidc:ClientId"]!;
|
||||
|
||||
var body = new Dictionary<string, string>
|
||||
{
|
||||
["grant_type"] = "authorization_code",
|
||||
["client_id"] = oidcClientId,
|
||||
["client_secret"] = oidcClientSecret,
|
||||
["code"] = code,
|
||||
["redirect_uri"] = o.RedirectUri,
|
||||
["code_verifier"] = flowState.CodeVerifier,
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
<Project Sdk="Microsoft.NET.Sdk.Web">
|
||||
<Project Sdk="Microsoft.NET.Sdk.Web">
|
||||
|
||||
<PropertyGroup>
|
||||
<TargetFramework>net10.0</TargetFramework>
|
||||
@@ -6,6 +6,7 @@
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
<RootNamespace>SharepointToolbox.Web</RootNamespace>
|
||||
<NoWarn>$(NoWarn);NU1701;CS0618</NoWarn>
|
||||
<UserSecretsId>ab5b666b-ca8d-4799-90ee-ec5e23658112</UserSecretsId>
|
||||
</PropertyGroup>
|
||||
|
||||
<ItemGroup>
|
||||
|
||||
Reference in New Issue
Block a user