From 0a0c59319fa80758a107d66c5580e83353d5b1c1 Mon Sep 17 00:00:00 2001
From: kawa <us.fame.sq@gmail.com>
Date: Tue, 2 Jun 2026 11:29:19 +0200
Subject: [PATCH] Make Entra app-registration flow secretless (public PKCE)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The register flow exchanged the auth code as a confidential client
(Oidc:ClientId + Oidc:ClientSecret), requiring a pre-provisioned
backing app with a secret. Drop client_secret from the exchange so it
uses PKCE only — the backing app is now a public client and no secret
touches the client-tenant register/connect flows.

The toolbox's own OIDC sign-in still uses Oidc:ClientSecret (unchanged).

Also enable user-secrets (UserSecretsId) so Oidc config stays out of
the committed appsettings.json.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 Infrastructure/OAuth/OAuthEndpoints.cs | 6 ++----
 SharepointToolbox.Web.csproj           | 3 ++-
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/Infrastructure/OAuth/OAuthEndpoints.cs b/Infrastructure/OAuth/OAuthEndpoints.cs
index b8ce9f4..f3206a4 100644
--- a/Infrastructure/OAuth/OAuthEndpoints.cs
+++ b/Infrastructure/OAuth/OAuthEndpoints.cs
@@ -133,15 +133,13 @@ public static class OAuthEndpoints
 
             if (flowState.IsRegistration)
             {
-                // ── Registration flow: confidential client exchange (OIDC app + secret) ──
-                var oidcClientId     = config["Oidc:ClientId"]!;
-                var oidcClientSecret = config["Oidc:ClientSecret"]!;
+                // ── Registration flow: public client exchange (PKCE only, no secret) ──
+                var oidcClientId = config["Oidc:ClientId"]!;
 
                 var body = new Dictionary<string, string>
                 {
                     ["grant_type"]    = "authorization_code",
                     ["client_id"]     = oidcClientId,
-                    ["client_secret"] = oidcClientSecret,
                     ["code"]          = code,
                     ["redirect_uri"]  = o.RedirectUri,
                     ["code_verifier"] = flowState.CodeVerifier,
diff --git a/SharepointToolbox.Web.csproj b/SharepointToolbox.Web.csproj
index 74cffba..b19ffe3 100644
--- a/SharepointToolbox.Web.csproj
+++ b/SharepointToolbox.Web.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
@@ -6,6 +6,7 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <RootNamespace>SharepointToolbox.Web</RootNamespace>
     <NoWarn>$(NoWarn);NU1701;CS0618</NoWarn>
+    <UserSecretsId>ab5b666b-ca8d-4799-90ee-ec5e23658112</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>