Register created app as public client (fix connect AADSTS7000218)

The per-client app registered its redirect URI under the `web` platform, so Entra treated it as a confidential client and the connect token exchange (PKCE, no secret) failed with AADSTS7000218 (client_secret required). Register the redirect under `publicClient` instead — matching the desktop reference (PublicClient.RedirectUris) — so the secretless PKCE code redemption is accepted. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-02 12:04:09 +02:00
parent bcced08caf
commit b7061867f1
1 changed files with 5 additions and 1 deletions
@@ -47,7 +47,11 @@ public class AppRegistrationService : IAppRegistrationService
            displayName         = $"SP Toolbox — {tenantName}",
            signInAudience      = "AzureADMyOrg",
            isFallbackPublicClient = true,
-            web = new { redirectUris = new[] { redirectUri } },
+            // Register the redirect under the PUBLIC client platform so the connect
+            // flow can redeem the auth code with PKCE only (no client secret). A
+            // redirect under `web` makes Entra treat the app as confidential and the
+            // token exchange fails with AADSTS7000218 (secret required).
+            publicClient = new { redirectUris = new[] { redirectUri } },
            requiredResourceAccess = new[]
            {
                new