kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Register created app as public client (fix connect AADSTS7000218)

Browse Source 
The per-client app registered its redirect URI under the `web` platform,
so Entra treated it as a confidential client and the connect token
exchange (PKCE, no secret) failed with AADSTS7000218 (client_secret
required). Register the redirect under `publicClient` instead — matching
the desktop reference (PublicClient.RedirectUris) — so the secretless
PKCE code redemption is accepted.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sébastien QUEROL
2026-06-02 12:04:09 +02:00
parent bcced08caf
commit b7061867f1
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Services/Auth/AppRegistrationService.cs
+5 -1
View File
@@ -47,7 +47,11 @@ public class AppRegistrationService : IAppRegistrationService
displayName = $"SP Toolbox — {tenantName}", displayName = $"SP Toolbox — {tenantName}",
signInAudience = "AzureADMyOrg", signInAudience = "AzureADMyOrg",
isFallbackPublicClient = true, isFallbackPublicClient = true,
web = new { redirectUris = new[] { redirectUri } }, // Register the redirect under the PUBLIC client platform so the connect
// flow can redeem the auth code with PKCE only (no client secret). A
// redirect under `web` makes Entra treat the app as confidential and the
// token exchange fails with AADSTS7000218 (secret required).
publicClient = new { redirectUris = new[] { redirectUri } },
requiredResourceAccess = new[] requiredResourceAccess = new[]
{ {
new new