Azure AD B2C: Clients must send a client_secret when redeeming a confidential grant
I try to setup authentification for an Angular app using authorization code and Azure AD B2C (oidc-client on client side), but I'm getting these errors from Angular:
After looking in B2C audit logs, I found this error message:
Clients must send a client_secret when redeeming a confidential grant.
Here's my client side configuration:
const settings = {
stsAuthority: 'https://supportodqqcdev.b2clogin.com/supportodqqcDev.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignUpSignInOdqPlatine',
clientId: '8447df5b-35a0-40a7-944f-5dcce87a2193',
clientRoot: 'https://localhost:4200',
scope: 'openid https://supportodqqcDev.onmicrosoft.com/platineclientdev/read',
};
this.userManager = new UserManager({
authority: settings.stsAuthority,
client_id: settings.clientId,
redirect_uri: `${settings.clientRoot}/signin-callback`,
scope: settings.scope,
response_type: 'code',
post_logout_redirect_uri: `${settings.clientRoot}/signout-callback`,
automaticSilentRenew: true,
silent_redirect_uri: `${settings.clientRoot}/assets/signin-silent-callback.html`,
});
If I switch the above configuration to use a local IdentityServer instance, everthings works has expected.
Is someone able to point me out where or how I should investigate this?
I had the exact same issue as you and was just able to resolve it.
AD is requesting the client_secret from you, because it isn't configured for PKCE yet. To tell AD that you want to use PKCE for a specific redirect url you need to set its type from 'Web' to 'Spa'. This can be done in the manifest.
Search for the property replyUrlsWithType in the Manifest and look for your .../signin-callback url. Change its type to 'Spa' and you should be good.
eg.:
"replyUrlsWithType": [
{
"url": "http://localhost:8080/signin-callback",
"type": "Spa"
},
]
The configured url will now disappear from your Authorization page but thats ok -> it's still present in the Manifest. The MS team is working on this new type.
Also make sure you marked your application as a public client.
For more information, see my answer here: Is Active Directory not supporting Authorization Code Flow with PKCE?
- Style Indeterminate Checkboxes in Angular Material
- Array of data showing in console but not in HTML after passing it through dialog in Angular project
- Angular Font Awesome in a component library - FontAwesome: Could not find icon with iconName=times and prefix=fas
- Angular and contenteditable
- Angular D3 tree does not collapse back into its parent
- How to work with leaflet polyline's context menu
- Is it possible have working Angular i18next multilingual translations after page reload and without component lazy loading?
- How do I auto scroll in Angular?
- QR Scan in Angular
- Angular material: create a divider between mat-tab-labels
- Customize third party directive's implementation without forking
- How to run your project without hash in Angular
- In Angular 17, trying to clean an input after the user arrives in the page via back button generates non-coherent values
- How to upgrade TailwindCSS?
- Angular forms with signals (making it ready for zoneless change detection)
- changing element in ngOnInit not working when changing route, but is able to access element
- this.dialogRef.close is not a function Angular 19
- Using Angular Signals with HostBinding to update style?
- TypeScript-'s Angular Framework Error - "There is no directive with exportAs set to ngForm"
- Angular can't find toggle function in model
- Angular 19 - Component AppComponent is standalone, and cannot be declared in an NgModule
- p-dropdown does not display correct label when ngModel variable is an object
- Ionic Capacitor Google Maps error (@capacitor/google-maps)
- Angular currency pipe without value
- How to figure out which Angular unit test caused an error
- Ngx-color picker issue with data value in reactive forms
- Angular module loading children, child route is not initialising on router.navigate
- import {saveAs} from 'file-saver': CommonJS or AMD dependencies can cause optimization bailouts
- How to import highcharts-more
- Custom directive and [ngClass] on same element does not work