From b7061867f167eee064852294f69c329dae553a60 Mon Sep 17 00:00:00 2001
From: kawa <us.fame.sq@gmail.com>
Date: Tue, 2 Jun 2026 12:04:09 +0200
Subject: [PATCH] Register created app as public client (fix connect
 AADSTS7000218)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The per-client app registered its redirect URI under the `web` platform,
so Entra treated it as a confidential client and the connect token
exchange (PKCE, no secret) failed with AADSTS7000218 (client_secret
required). Register the redirect under `publicClient` instead — matching
the desktop reference (PublicClient.RedirectUris) — so the secretless
PKCE code redemption is accepted.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 Services/Auth/AppRegistrationService.cs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Services/Auth/AppRegistrationService.cs b/Services/Auth/AppRegistrationService.cs
index cb69e45..ee75fb2 100644
--- a/Services/Auth/AppRegistrationService.cs
+++ b/Services/Auth/AppRegistrationService.cs
@@ -47,7 +47,11 @@ public class AppRegistrationService : IAppRegistrationService
             displayName         = $"SP Toolbox — {tenantName}",
             signInAudience      = "AzureADMyOrg",
             isFallbackPublicClient = true,
-            web = new { redirectUris = new[] { redirectUri } },
+            // Register the redirect under the PUBLIC client platform so the connect
+            // flow can redeem the auth code with PKCE only (no client secret). A
+            // redirect under `web` makes Entra treat the app as confidential and the
+            // token exchange fails with AADSTS7000218 (secret required).
+            publicClient = new { redirectUris = new[] { redirectUri } },
             requiredResourceAccess = new[]
             {
                 new